Edit tour

Windows Analysis Report
MNLS4PjscF.exe

Overview

General Information

Sample name:	MNLS4PjscF.exe renamed because original name is a hash value
Original sample name:	2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b.exe
Analysis ID:	1632411
MD5:	7730242b95171f0ccb03e28bf8f5056b
SHA1:	a5348671e4b92b3c64086abe6fced83f251e692c
SHA256:	2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b
Tags:	AdwareGenericexeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	84
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MNLS4PjscF.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\MNLS4PjscF.exe" MD5: 7730242B95171F0CCB03E28BF8F5056B)

MNLS4PjscF.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\MNLS4PjscF.exe" MD5: 7730242B95171F0CCB03E28BF8F5056B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1551650221.000000000A349000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: MNLS4PjscF.exe PID: 7276	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:30:47.020893+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49688	142.250.186.142	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MNLS4PjscF.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: MNLS4PjscF.exe	Virustotal: Detection: 66%			Perma Link
Source: MNLS4PjscF.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: MNLS4PjscF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.7:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_0040276E FindFirstFileW,	8_2_0040276E
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405770
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_0040622B FindFirstFileW,FindClose,	8_2_0040622B

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49688 -> 142.250.186.142:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
Source: global traffic	HTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIuN8ZUfOvJohGwebJsZMZ2an8uz0KiL4iotDf8dfkhWAWNLJol3R_d_b5HLe8JxWsCRzx3WAFoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:30:49 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-CiocIO1INPLh4xtvZkMR7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA; expires=Sat, 06-Sep-2025 22:30:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIueAmsvM7F3cElPMqP19Db6f5FdYwo76t8n5dgztEtS_yFsj4MbB0jH9NVEneEYMhkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:30:54 GMTContent-Security-Policy: script-src 'nonce-4fkLeAGDX0f0Jph-V75TJg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIuFBQubsEGfme0XUlCdg4JAWWdppaZSyqlAHKtA0YqQcqPefdo6SOgvNSSurEB9nuaTContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:30:59 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-auBnxkYXn9HeSTFd86SO0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIsojyuZ9lVhC-LQxj-2OrXYze_eNZn-L6B4gH8dZf1oW5X-GxponLWkEseExxaOkdGiContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:31:04 GMTContent-Security-Policy: script-src 'nonce-UfblFQhV8jeLXmCY-TgCyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItM5CJLo7i77_JfotP65MlINdkk4Um641emJXpAMgvJTAzagDyfAfs3CsWmGtciuog5Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:31:09 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-5fuob5HZ8nt0piMF6TaQlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIuOBsP8F2q0Ed-YeUizVbuD5wDtcE_sMXjLysawkfNqRSzSJG1onvH8l-DtATwmR1UContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:31:14 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-HnWUlhdtlInDuuvz81zWlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIuh8d4IxsahtBDulJIJUSV10pzpx9aHnPcYr3akotYsTSOHLWUTqGzS2NwvfK03v1cCf1L3s4oContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:31:19 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-l6Yq4-dlVyNMyk38gf7kFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIvP2mWS-gA7B2nPZTthVzqnPON3zlfMYzwBreymPs1qVqBUrhJJXEGjAHTf6uziTT9AContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:31:25 GMTContent-Security-Policy: script-src 'nonce-8JXjsLOtQcaE-a5GZy5cfw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIs7RxfqreYUG378MAxOim2ID4tJU15JrPMAQkBMZ4r_3Henu5cGEnt9yjB0d9HjIZUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:31:30 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-GKKicmN9elSftuETiB6X7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: MNLS4PjscF.exe, 00000008.00000003.1694469091.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1694535877.00000000078B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: MNLS4PjscF.exe, 00000008.00000003.1694469091.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1694535877.00000000078B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: MNLS4PjscF.exe, 00000000.00000002.1550432579.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000000.00000000.879599687.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000008.00000000.1546772030.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download
Source: MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/NYp
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/_1
Source: MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/r
Source: MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn(
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn:
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5GuxnD
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5GuxnMicroso
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5GuxnZ
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxnht9u7UOKSY5Guxn
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxnht9u7UOKSY5GuxnEI
Source: MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxnht9u7UOKSY5GuxneI
Source: MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxnst
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxnt
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxnxed=x
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/MhX
Source: MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/PhG
Source: MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975171131.00000000078F2000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1770296919.00000000078F2000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2080151629.00000000078F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download1
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download2S
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download3/
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download7
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloada_
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloade
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadeP
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadfS
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadhS
Source: MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadid
Source: MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.cok
Source: MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.7:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		8_2_00403358

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_00404B0E	8_2_00404B0E
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_0040653D	8_2_0040653D

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: String function: 00402B38 appears 47 times

Source: MNLS4PjscF.exe, 00000000.00000002.1550546239.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametoggler triumvirates.exe4 vs MNLS4PjscF.exe
Source: MNLS4PjscF.exe, 00000008.00000002.2132570087.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametoggler triumvirates.exe4 vs MNLS4PjscF.exe

Source: MNLS4PjscF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/30@2/2

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne

Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsmA3FE.tmp

Jump to behavior

Source: MNLS4PjscF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MNLS4PjscF.exe	Virustotal: Detection: 66%
Source: MNLS4PjscF.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

File read: C:\Users\user\Desktop\MNLS4PjscF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Process created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Process created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udgyd.ini

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: MNLS4PjscF.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.1551650221.000000000A349000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: 0_2_10002DB0 push eax; ret

0_2_10002DDE

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

File created: C:\Users\user\AppData\Local\Temp\nsxBF78.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Skjoldbrusks.Moe	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Galmandsvrks.For231	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tiggerstavens.fes	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udgyd.ini	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udtrttede.ini	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\aktioners.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\begrdeliges.pro	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\burdie.ini	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\cartographer.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\histographies.txt	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\icekhana.txt	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\manxman.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\modstaaet.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\musicianer.spi	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\ndder.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\romantiserendes.ini	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\semiquadrangle.ini	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\sugarcane.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\tinkle.jpg	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\unagitatedness.txt	Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	API/Special instruction interceptor: Address: A4072DE
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	API/Special instruction interceptor: Address: 68A72DE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	RDTSC instruction interceptor: First address: A3A60AE second address: A3A60AE instructions: 0x00000000 rdtsc 0x00000002 test dx, bx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F09F886B447h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	RDTSC instruction interceptor: First address: 68460AE second address: 68460AE instructions: 0x00000000 rdtsc 0x00000002 test dx, bx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F09F8BB5887h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxBF78.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\MNLS4PjscF.exe TID: 5052

Thread sleep time: -80000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_0040276E FindFirstFileW,	8_2_0040276E
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405770
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	Code function: 8_2_0040622B FindFirstFileW,FindClose,	8_2_0040622B

Source: MNLS4PjscF.exe, 00000008.00000003.1770338681.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\MNLS4PjscF.exe	API call chain: ExitProcess graph end node			graph_0-4511
Source: C:\Users\user\Desktop\MNLS4PjscF.exe	API call chain: ExitProcess graph end node			graph_0-4516

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Process created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MNLS4PjscF.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MNLS4PjscF.exe	67%	Virustotal		Browse
MNLS4PjscF.exe	61%	ReversingLabs	Win32.Spyware.Snakekeylogger
MNLS4PjscF.exe	100%	Avira	TR/AD.NsisInject.vqxpt

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsxBF78.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://www.google.cok	0%	Avira URL Cloud	safe
http://crl.microsof	0%	Avira URL Cloud	safe
http://crl.micros	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.186.142	true	false		high
drive.usercontent.google.com	142.250.186.33	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.cok	MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/PhG	MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsof	MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/NYp	MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/r	MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/MhX	MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1770338681.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1820603100.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1846585634.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1898053327.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078B0000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1796268741.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	MNLS4PjscF.exe, 00000008.00000003.2001657231.00000000078B1000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2139939778.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.000000000789E000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1975210550.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2053656397.00000000078AD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	MNLS4PjscF.exe, 00000000.00000002.1550432579.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000000.00000000.879599687.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000008.00000000.1546772030.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false		high
https://drive.google.com/_1	MNLS4PjscF.exe, 00000008.00000002.2139939778.0000000007848000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoft.	MNLS4PjscF.exe, 00000008.00000003.1694469091.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1694535877.00000000078B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.micros	MNLS4PjscF.exe, 00000008.00000003.1694469091.00000000078B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1694535877.00000000078B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.142	drive.google.com	United States		15169	GOOGLEUS	false
142.250.186.33	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632411
Start date and time:	2025-03-07 23:28:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MNLS4PjscF.exe renamed because original name is a hash value
Original Sample Name:	2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/30@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 54 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Execution Graph export aborted for target MNLS4PjscF.exe, PID 5684 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:30:48	API Interceptor	8x Sleep call for process: MNLS4PjscF.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	GBYfjUz4a5.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 142.250.186.33
	g44YQtTyjN.exe	Get hash	malicious	DarkCloud	Browse	142.250.186.142 142.250.186.33
	BtCQu5APhK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 142.250.186.33
	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 142.250.186.33
	hUMdKouQ1H.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 142.250.186.33
	2Jq4fZJIJ8.exe	Get hash	malicious	GuLoader	Browse	142.250.186.142 142.250.186.33
	GyGE2VaBFL.exe	Get hash	malicious	GuLoader	Browse	142.250.186.142 142.250.186.33
	1258ad6Jpw.exe	Get hash	malicious	GuLoader	Browse	142.250.186.142 142.250.186.33
	ZUY4Nq2SyY.exe	Get hash	malicious	GuLoader	Browse	142.250.186.142 142.250.186.33
	cqWZtEH4eJ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 142.250.186.33

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsxBF78.tmp\System.dll	GBYfjUz4a5.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	BtCQu5APhK.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	GuuQOl5kJR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Steel Sample- QUOTE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Steel Sample- QUOTE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Skambenets.exe	Get hash	malicious	GuLoader	Browse
	Skambenets.exe	Get hash	malicious	GuLoader	Browse
	Marcom Trade SS-04665.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Hermaean.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SecuriteInfo.com.FileRepMalware.23885.29286.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Process:	C:\Users\user\Desktop\MNLS4PjscF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.33197669498491
Encrypted:	false
SSDEEP:	3:U4ooQGRDWh:hooQh
MD5:	340AD700CF73B73EA2313C044D40EA9A
SHA1:	9B90CC3147D140FA936E308C2C320BDC385DA93A
SHA-256:	55A2B8F5EF1D17023FD8245E69830CC961C0CE629EDDC7AC1043C288CB3915B5
SHA-512:	4B31D10B80AE71197AC367C868569949224A4CD542BF0E9C188B816348EC8958F952525F939C827BDDC8610F268DD12E310D6D2FC99071C741B3A38E062542B4
Malicious:	false
Reputation:	low
Preview:	[Chocho240]..struct=finkulturel..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.956197504044966
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MNLS4PjscF.exe
File size:	883'660 bytes
MD5:	7730242b95171f0ccb03e28bf8f5056b
SHA1:	a5348671e4b92b3c64086abe6fced83f251e692c
SHA256:	2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b
SHA512:	74a89a765c1d138b3e9c90a0cbb3768ded91ceb7140d99b97b8aec2392e88e58d3b46a657db6738f8effa59743ae6e4eab19bc264944273adaa7543dfab9626c
SSDEEP:	12288:Zt1Y3a5Pi5kV98nWGjFxN1bIyPA2lKZ7SimXcL9WIoXygi+VIfX+SPA4c5Wj6wnM:VY0Pi5kId5F55lc7zmXcLEr9t4UkM
TLSH:	1A1523005BDD8666EAE521B36D7381AAC3779E968553820F5F443F7B3C342B184A32DB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x5040	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x23000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x5040	0x5200	b2da62e34b8c62c487b136a5434db933	False	0.17844893292682926	data	2.8674367335879127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4d298	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.10197095435684647
RT_ICON	0x4f840	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.17659474671669795
RT_ICON	0x508e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.21598360655737706
RT_ICON	0x51270	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2703900709219858
RT_DIALOG	0x516d8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x51820	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x51940	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x51a60	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x51ac0	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x51b00	0x238	data	English	United States	0.5422535211267606
RT_MANIFEST	0x51d38	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Description	Data
FileDescription	vignetted
LegalCopyright	dommedagsprdikenens johnnis
LegalTrademarks	kodes
OriginalFilename	toggler triumvirates.exe
ProductVersion	3.5.0.0
Translation	0x0409 0x04e4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 23:30:44.301100016 CET	54080	53	192.168.2.7	1.1.1.1
Mar 7, 2025 23:30:44.308722019 CET	53	54080	1.1.1.1	192.168.2.7
Mar 7, 2025 23:30:47.036686897 CET	56821	53	192.168.2.7	1.1.1.1
Mar 7, 2025 23:30:47.043759108 CET	53	56821	1.1.1.1	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:30:46 UTC	216	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-03-07 22:30:47 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:30:46 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-v7REsDB1tf33vLS_UZYsZQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:30:48 UTC	258	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-03-07 22:30:49 UTC	1926	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIuN8ZUfOvJohGwebJsZMZ2an8uz0KiL4iotDf8dfkhWAWNLJol3R_d_b5HLe8JxWsCRzx3WAFo Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:30:49 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-CiocIO1INPLh4xtvZkMR7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA; expires=Sat, 06-Sep-2025 22:30:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:30:49 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 54 65 41 72 4f 38 63 72 73 4e 59 62 49 78 61 30 52 31 4d 66 68 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="TeArO8crsNYbIxa0R1Mfhg">*{margin:0;padding:0}html,code{font:15px/22px arial

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:30:51 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:30:52 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:30:51 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-UEIBpNo8Dxw7v8GnlSDknA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:30:53 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:30:54 UTC	1533	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIueAmsvM7F3cElPMqP19Db6f5FdYwo76t8n5dgztEtS_yFsj4MbB0jH9NVEneEYMhk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:30:54 GMT Content-Security-Policy: script-src 'nonce-4fkLeAGDX0f0Jph-V75TJg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:30:54 UTC	1533	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6b 50 5a 6d 78 34 62 69 36 36 6c 52 6e 38 61 49 2d 6b 43 45 5a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="kPZmx4bi66lRn8aI-kCEZw">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:30:54 UTC	119	IN	Data Raw: 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:30:56 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:30:57 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:30:56 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ChR8u5N5613L21qKWN658w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:30:58 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:30:59 UTC	1534	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIuFBQubsEGfme0XUlCdg4JAWWdppaZSyqlAHKtA0YqQcqPefdo6SOgvNSSurEB9nuaT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:30:59 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-auBnxkYXn9HeSTFd86SO0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:30:59 UTC	1534	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 77 59 6a 30 4f 2d 65 51 49 36 32 31 48 51 65 49 69 75 73 6d 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="4wYj0O-eQI621HQeIiusmA">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:30:59 UTC	118	IN	Data Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:01 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:02 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:01 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Rg6WYaj946sWYSVkiuZIkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:04 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:04 UTC	1534	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIsojyuZ9lVhC-LQxj-2OrXYze_eNZn-L6B4gH8dZf1oW5X-GxponLWkEseExxaOkdGi Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:04 GMT Content-Security-Policy: script-src 'nonce-UfblFQhV8jeLXmCY-TgCyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:31:04 UTC	1534	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 50 46 73 61 70 2d 30 5f 51 30 43 34 33 47 64 79 50 62 74 46 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="DPFsap-0_Q0C43GdyPbtFA">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:31:04 UTC	118	IN	Data Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:06 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:07 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:07 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-ef3E9Jew7rywnWssYQqHIg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:09 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:09 UTC	1534	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyItM5CJLo7i77_JfotP65MlINdkk4Um641emJXpAMgvJTAzagDyfAfs3CsWmGtciuog5 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:09 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-5fuob5HZ8nt0piMF6TaQlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:31:09 UTC	1534	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 46 4b 38 6d 76 33 78 4f 6d 52 67 46 34 69 53 49 44 45 62 50 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="VFK8mv3xOmRgF4iSIDEbPw">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:31:09 UTC	118	IN	Data Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:11 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:12 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:12 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-EYNhR3W2q1p9jAgGov5B9w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MNLS4PjscF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Varda.ini

C:\Users\user\AppData\Local\Temp\Alpha.ini

C:\Users\user\AppData\Local\Temp\nsbA40E.tmp

C:\Users\user\AppData\Local\Temp\nsdC2A5.tmp

C:\Users\user\AppData\Local\Temp\nseC566.tmp

C:\Users\user\AppData\Local\Temp\nslBCC7.tmp

C:\Users\user\AppData\Local\Temp\nsoC41D.tmp

C:\Users\user\AppData\Local\Temp\nsvC6FE.tmp

C:\Users\user\AppData\Local\Temp\nsxBF78.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Galmandsvrks.For231

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Skjoldbrusks.Moe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\tinkle.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\unagitatedness.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udgyd.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udtrttede.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\aktioners.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\begrdeliges.pro

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\burdie.ini

Windows Analysis Report
MNLS4PjscF.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:14 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:15 UTC	1533	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIuOBsP8F2q0Ed-YeUizVbuD5wDtcE_sMXjLysawkfNqRSzSJG1onvH8l-DtATwmR1U Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:14 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-HnWUlhdtlInDuuvz81zWlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:31:15 UTC	1533	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 54 78 32 35 6a 58 6c 6f 32 45 2d 43 5a 78 4a 49 39 4c 46 4c 45 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Tx25jXlo2E-CZxJI9LFLEw">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:31:15 UTC	119	IN	Data Raw: 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:16 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:17 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:17 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-34UdtbDYINowCQ1WHYgsAw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:19 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:20 UTC	1541	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIuh8d4IxsahtBDulJIJUSV10pzpx9aHnPcYr3akotYsTSOHLWUTqGzS2NwvfK03v1cCf1L3s4o Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:19 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-l6Yq4-dlVyNMyk38gf7kFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:31:20 UTC	1541	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 69 6b 62 7a 79 4a 6a 39 4a 4c 2d 67 4f 54 76 69 49 63 75 45 46 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ikbzyJj9JL-gOTviIcuEFQ">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:31:20 UTC	111	IN	Data Raw: 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: ts an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:22 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:22 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:22 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-_OAVgV4Cjg_mjB4oyMpTWA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:24 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:25 UTC	1534	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIvP2mWS-gA7B2nPZTthVzqnPON3zlfMYzwBreymPs1qVqBUrhJJXEGjAHTf6uziTT9A Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:25 GMT Content-Security-Policy: script-src 'nonce-8JXjsLOtQcaE-a5GZy5cfw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:31:25 UTC	1534	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 53 49 7a 5a 32 73 55 7a 43 46 62 4b 48 4a 74 77 62 47 75 51 5a 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="SIzZ2sUzCFbKHJtwbGuQZg">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:31:25 UTC	118	IN	Data Raw: 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:27 UTC	428	OUT	GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:28 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:27 GMT Location: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-6KX4KtiqC2HgvWdidLFj7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-03-07 22:31:30 UTC	470	OUT	GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=522=dav52gsBSilSlpCodFXcTUF0lZ4vC8O6Ux5nwJlvN1WHGzJ4TkypemSFXEfC4EazYsJuIAIB3uraTGbJ0nrjh9jgbc8tmHxvbPk9l_MsSqSHSpbakPb15PJ2z51FMoVk3Wyz4qyhPG1ZvinmrqwjKAXjjqGhXR6J3zoef1kmzZkmUBISOCo4_U54dl830oJjOA
2025-03-07 22:31:31 UTC	1533	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AKDAyIs7RxfqreYUG378MAxOim2ID4tJU15JrPMAQkBMZ4r_3Henu5cGEnt9yjB0d9HjIZU Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 07 Mar 2025 22:31:30 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-GKKicmN9elSftuETiB6X7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-03-07 22:31:31 UTC	1533	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6a 6c 55 44 51 65 4f 4a 66 6b 62 43 76 56 48 68 57 4f 67 79 69 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="jlUDQeOJfkbCvVHhWOgyiA">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-03-07 22:31:31 UTC	119	IN	Data Raw: 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	0
Start time:	17:29:24
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\MNLS4PjscF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MNLS4PjscF.exe"
Imagebase:	0x400000
File size:	883'660 bytes
MD5 hash:	7730242B95171F0CCB03E28BF8F5056B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1551650221.000000000A349000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	17:30:31
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\MNLS4PjscF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MNLS4PjscF.exe"
Imagebase:	0x400000
File size:	883'660 bytes
MD5 hash:	7730242B95171F0CCB03E28BF8F5056B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false