Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
15Er6ACahF.exe

Overview

General Information

Sample name:15Er6ACahF.exe
renamed because original name is a hash value
Original sample name:76fe569a0452a49e3101eb393e0c871faee725269b3a512c6f3f27e21b27e2e8.exe
Analysis ID:1631809
MD5:101069a235a97ccc62948b1b41dc81d3
SHA1:c86fa56f0213bb7ffb58f765a778f75c1ba27211
SHA256:76fe569a0452a49e3101eb393e0c871faee725269b3a512c6f3f27e21b27e2e8
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • 15Er6ACahF.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\15Er6ACahF.exe" MD5: 101069A235A97CCC62948B1B41DC81D3)
    • 15Er6ACahF.exe (PID: 5864 cmdline: "C:\Users\user\Desktop\15Er6ACahF.exe" MD5: 101069A235A97CCC62948B1B41DC81D3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2707874069.0000000003C3C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000C.00000002.3449430259.000000000228C000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-07T16:14:46.470544+010028032702Potentially Bad Traffic192.168.2.949691142.250.181.238443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 15Er6ACahF.exeVirustotal: Detection: 68%Perma Link
      Source: 15Er6ACahF.exeReversingLabs: Detection: 55%
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: 15Er6ACahF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.9:49691 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49692 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49698 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.9:49699 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49700 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49706 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49708 version: TLS 1.2
      Source: 15Er6ACahF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_00402868 FindFirstFileW,12_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_004065C7 FindFirstFileW,FindClose,12_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_00405996
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49691 -> 142.250.181.238:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIuILnXGUxOJ-0hJF41Bg-R0LwxNoWArLq02j62TvswpioUEjtl3QO1fK6xDNSUamntLhBgnUIEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:14:49 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-3epTC4oSXnLkQcU3oTBzSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=522=sqdPFPYSHhL7c6aqw984SPjgnlL0WMzzTdo21NWzWfCNnF1oFY0eHAwn_JQHDBvRBHqFpghGhod_wzR_-oNVNahdVgmCrSnzRBjGr3yLCwH6v9iTJx-W7YCYgavIRfbfgrPgNsqYwP_1WRXX4mGf7sNIPqN1U5v8XjJSlcO4Lsa5hFRSNGYwx3icD4kUAy05; expires=Sat, 06-Sep-2025 15:14:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIubcaKbUXVHnD-LA-BXYpzbT7DC2ma5V-lRNTRNvrIV4NcoDU1r-25L4HXhbVQXPUDhContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:14:55 GMTContent-Security-Policy: script-src 'nonce-OgVu3fS6iS1eWoPXfP7MJQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIucfjiHtYbzYAYPo6gdQ0MssYK7A3SedghCzswJbKXl4auhigqOK_b0uAJrTWHZsqyBVv1Y-DAContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:15:02 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-i4rt8YmzwqonZ4Bqt5id9w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIvfyXfcRFFRnGhvRGBoPvGZ0s_4EFvuSubSGsrWiRzWVwAFzmc5s2w0YRix0KbyTWVTgB7YgR4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:15:08 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-svPVSifoGmaiELm_3ERuwA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItGbM56q1UTNKk-hzcCd1bbJYzTlkUJfBP4HkzcVQX6farOxmjlOkJ7H1r_xA_UF7hb6jOKUDsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:15:14 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-rAqufBeFRy8GpnMIPPnqXw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItuowdrKMFddZxWOyNt8UIxOd3zdxy4FYdAvoI5GT8QM3_-8XDGwYywin-EM7uMktZ1Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:15:21 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-RgQi-wx62-334ODlX6u9YQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIvXz9rIhlJJ6y1f4EqBZhHfdbIG50gewDKJgdE9yvQNcr3YIBaywJdcjFuXxYYFwEQ0MczK-aYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:15:28 GMTContent-Security-Policy: script-src 'nonce-QTYP58jyoZQrOkA11KM8aA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItqv4b3XZMLAatBbwMpqz_fi4GA7GzXYqU4VhX7B4O3x0fp1RNK3clQcngSPWOMWU6OContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:15:35 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-_GR8Mg03ruLtoXpC-uwprQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIvMQT00CPYaKs-MGdSiDN7l4gWuCXFYPpIcyWb0cBwZMERRvzWyqEoIUl27l9HpWwh0txVBPYkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:15:41 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-eh6zQDmjAmjkfZOLKvoXTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: 15Er6ACahF.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347159605.0000000005399000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.000000000539B000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005398000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283805326.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380306302.000000000539E000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.00000000052E8000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.00000000052E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/%
      Source: 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/8
      Source: 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/FBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/FBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloade-
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/FBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadecnap
      Source: 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/FBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadt
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/Local
      Source: 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/P
      Source: 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/U
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/bleclick.cn
      Source: 15Er6ACahF.exe, 0000000C.00000003.3018221519.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2986908142.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/cn.com
      Source: 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ecurity
      Source: 15Er6ACahF.exe, 0000000C.00000003.2954773231.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2986908142.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.00000000052E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/mb
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.00000000052E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=do
      Source: 15Er6ACahF.exe, 0000000C.00000003.3018221519.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005324000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453983238.0000000006DC0000.00000004.00001000.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2954773231.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283762422.000000000533A000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347124894.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2986908142.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453430756.00000000050DB000.00000004.00000010.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3246471638.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy
      Source: 15Er6ACahF.exe, 0000000C.00000003.3018221519.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2954773231.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2986908142.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy2
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy7Qsz-5k2NK9boRy
      Source: 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRyer
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005324000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283762422.000000000533A000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347124894.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3246471638.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177430805.0000000005339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRyf
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005324000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283762422.000000000533A000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347124894.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3246471638.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177430805.0000000005339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRyh
      Source: 15Er6ACahF.exe, 0000000C.00000003.3283762422.000000000533A000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3246471638.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177430805.0000000005339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRyst
      Source: 15Er6ACahF.exe, 0000000C.00000003.3018221519.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2883169631.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2954773231.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2986908142.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890547268.0000000005392000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177430805.0000000005339000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.000000000534B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download0
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download44
      Source: 15Er6ACahF.exe, 0000000C.00000003.3018221519.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloade-
      Source: 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadec
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadk
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadm
      Source: 15Er6ACahF.exe, 0000000C.00000003.3018221519.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3113730221.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3082055803.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3245641632.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadoi
      Source: 15Er6ACahF.exe, 0000000C.00000003.3018221519.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2883169631.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2954773231.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380101218.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3315255268.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2986908142.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadt
      Source: 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347159605.0000000005399000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.000000000539B000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005398000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283805326.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380306302.000000000539E000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347159605.0000000005399000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.000000000539B000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005398000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283805326.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380306302.000000000539E000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347159605.0000000005399000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.000000000539B000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005398000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283805326.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380306302.000000000539E000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347159605.0000000005399000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.000000000539B000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005398000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283805326.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380306302.000000000539E000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: 15Er6ACahF.exe, 0000000C.00000003.3177392372.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923456658.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3049762977.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2890514420.0000000005359000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347159605.0000000005399000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.000000000539B000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347021065.0000000005398000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.2923523269.0000000005357000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3145965604.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3414669508.0000000005352000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283805326.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3380306302.000000000539E000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283660814.0000000005352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
      Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.9:49691 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49692 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49698 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.9:49699 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49700 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49706 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49708 version: TLS 1.2
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040542B
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,12_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00404C680_2_00404C68
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_0040698E0_2_0040698E
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_70581B5F0_2_70581B5F
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_00404C6812_2_00404C68
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_0040698E12_2_0040698E
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: String function: 00402C41 appears 45 times
      Source: 15Er6ACahF.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: 15Er6ACahF.exeBinary or memory string: OriginalFilenamedovetailwise.exeN vs 15Er6ACahF.exe
      Source: 15Er6ACahF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal68.troj.evad.winEXE@3/14@2/2
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,12_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00404879 GetDiskFreeSpaceW,MulDiv,0_2_00404879
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_0040216A CoCreateInstance,0_2_0040216A
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile created: C:\Users\user\spinsterishlyJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDE3.tmpJump to behavior
      Source: 15Er6ACahF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 15Er6ACahF.exeVirustotal: Detection: 68%
      Source: 15Er6ACahF.exeReversingLabs: Detection: 55%
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile read: C:\Users\user\Desktop\15Er6ACahF.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"Jump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: timelanges.lnk.0.drLNK file: ..\..\..\Program Files (x86)\Common Files\prgedes.paa
      Source: timelanges.lnk0.0.drLNK file: ..\..\..\Program Files (x86)\Common Files\prgedes.paa
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile written: C:\Users\user\spinsterishly\Aphthartodocetic.iniJump to behavior
      Source: 15Er6ACahF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.2707874069.0000000003C3C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.3449430259.000000000228C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_70581B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_70581B5F
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile created: C:\Users\user\AppData\Local\Temp\nsk1333.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI/Special instruction interceptor: Address: 45BC375
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI/Special instruction interceptor: Address: 2C0C375
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\15Er6ACahF.exeRDTSC instruction interceptor: First address: 45933D0 second address: 45933D0 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7E4082C89Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\15Er6ACahF.exeRDTSC instruction interceptor: First address: 2BE33D0 second address: 2BE33D0 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7E40FEB97Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\15Er6ACahF.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk1333.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\15Er6ACahF.exe TID: 4600Thread sleep time: -90000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_00402868 FindFirstFileW,12_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_004065C7 FindFirstFileW,FindClose,12_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 12_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_00405996
      Source: 15Er6ACahF.exe, 0000000C.00000002.3453641987.00000000052E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`a4
      Source: 15Er6ACahF.exe, 0000000C.00000003.3246471638.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177430805.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347124894.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283762422.0000000005340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: 15Er6ACahF.exe, 0000000C.00000003.3246471638.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3177430805.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000002.3453641987.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3347124894.0000000005340000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000C.00000003.3283762422.0000000005340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI call chain: ExitProcess graph end nodegraph_0-4778
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI call chain: ExitProcess graph end nodegraph_0-4783
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_70581B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_70581B5F
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"Jump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
      Process Injection      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager3
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS23
      System Information Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Obfuscated Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.