Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MNLS4PjscF.exe

Overview

General Information

Sample name:MNLS4PjscF.exe
renamed because original name is a hash value
Original sample name:2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b.exe
Analysis ID:1632411
MD5:7730242b95171f0ccb03e28bf8f5056b
SHA1:a5348671e4b92b3c64086abe6fced83f251e692c
SHA256:2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b
Tags:AdwareGenericexeuser-adrian__luca
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MNLS4PjscF.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\MNLS4PjscF.exe" MD5: 7730242B95171F0CCB03E28BF8F5056B)
    • MNLS4PjscF.exe (PID: 6080 cmdline: "C:\Users\user\Desktop\MNLS4PjscF.exe" MD5: 7730242B95171F0CCB03E28BF8F5056B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2801090944.00000000067E9000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.1663798524.000000000A499000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: MNLS4PjscF.exe PID: 7124JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-07T23:38:24.728131+010028032702Potentially Bad Traffic192.168.2.949690142.250.74.206443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: MNLS4PjscF.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: MNLS4PjscF.exeVirustotal: Detection: 66%Perma Link
        Source: MNLS4PjscF.exeReversingLabs: Detection: 60%
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: MNLS4PjscF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49690 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49691 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49692 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49692 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49697 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49699 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49701 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49703 version: TLS 1.2
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_0040276E FindFirstFileW,8_2_0040276E
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_00405770
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_0040622B FindFirstFileW,FindClose,8_2_0040622B
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49690 -> 142.250.74.206:443
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cacheCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficHTTP traffic detected: GET /download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si
        Source: global trafficDNS traffic detected: DNS query: drive.google.com
        Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIspHWsrvKxrrfRBpUoURNfujakDsc6NVyrpDeWh8JwvTsQ_-whAR-tj6o2KFflx7LfuVGt84GkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:38:27 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-41XTwAAf_A5nR8OPYmFgYA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=522=pa5AwoyQf7wuJ7Iag4G0zXkz8_ejnBeYWJ21ZjR64Tg7df25_UpHNxcSDt3OlAq3b7X4SxCn5rBpi6EcBAQCVf1urCsIZKs6ON5wybsXie1s_JQ7SOim7fYD_nZN_K6CXO_Lga9GtF71JjwHJjBDTfyevopQIPCjM43B1erZH-8irVy_SXy1oX_e4YOqj_si; expires=Sat, 06-Sep-2025 22:38:27 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItx5LhbftpucLNBTG9RBODGi7GFrDhFj3b2BzVvnw14OLoNl9IBQw6pYW13ioqs2bknContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:38:42 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-XpVGt9FOOKRR6JNmTvWK1w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItSwZdiSbJI8ZwJa5O-slaDIXn6FcRctBZhgUPb-YiQS02s0kNB4euyz_rmoD8N-c3zContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:38:59 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-euIuFZKUrFp_l6AM5RY9qg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIvCdx7HBTHMlZYBqWKpR-vvPJz99ErIlBO-2lOZacKt1jnnp18aAoY1j-rmS9C9K-sContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:39:14 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-LutlwmunjJxUvtVsWNj9sw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIta4NBM0Wi6xzw2lWHfsuucbVjRvotUr86JDN07_dBy9JyTcIRz-eUvX-CbjMjdV_9TContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:39:30 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-yIfdW_fmDd3AZ54IYsgKPQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIubCGNpRxsbTVlrkb89y2Dr6aue8Iy0UNMkQqAB7CZUW7CYj_o_nPzN3NuDkuBNFsjDPH6tDG0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:39:45 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-M2Fdiyq-JZagQ6c4KRFW7w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyIsJsm-gKH2xbzb5-C9-2cXLZhRZo3A2XDNDVXh5Z3ig9mDaL9xvDkBRhadgNxcaY-l-Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 22:40:00 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-MGiWfDb4U2aHugmzBC_CSA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
        Source: MNLS4PjscF.exe, 00000000.00000002.1662395603.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000000.00000000.949807130.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000008.00000000.1658548995.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
        Source: MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=d
        Source: MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/%V
        Source: MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/-H
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.0000000007768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/.h6
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/C
        Source: MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/Local
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/The
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/crosoft
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
        Source: MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/et
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077A4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807906704.0000000009300000.00000004.00001000.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444889264.000000000782A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5GuxnA.
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5GuxnJ
        Source: MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xf907JeXelEi4jUTPht9u7UOKSY5GuxnP
        Source: MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
        Source: MNLS4PjscF.exe, 00000008.00000003.1841566562.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/_
        Source: MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download-z
        Source: MNLS4PjscF.exe, 00000008.00000003.2159944805.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=download;
        Source: MNLS4PjscF.exe, 00000008.00000003.2159944805.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133821085.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadM
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133821085.00000000077B6000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077B8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077B7000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159944805.00000000077B7000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadU
        Source: MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadco
        Source: MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloade
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadic
        Source: MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadid
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xf907JeXelEi4jUTPht9u7UOKSY5Guxn&export=downloadl
        Source: MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
        Source: MNLS4PjscF.exe, 00000008.00000003.1841566562.00000000077DD000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077CE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159944805.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077C9000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077CE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1813936302.00000000077DF000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077C6000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1813936302.00000000077CE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077BE000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807191590.0000000007768000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077C8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
        Source: MNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comLa
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077C8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
        Source: MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077C8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
        Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
        Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49690 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49691 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49692 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49692 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49697 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49699 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49701 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49703 version: TLS 1.2
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D1
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403358
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,8_2_00403358
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Windows\resources\0809Jump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00404B0E0_2_00404B0E
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_0040653D0_2_0040653D
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_00404B0E8_2_00404B0E
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_0040653D8_2_0040653D
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: String function: 00402B38 appears 38 times
        Source: MNLS4PjscF.exe, 00000000.00000002.1662659248.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs MNLS4PjscF.exe
        Source: MNLS4PjscF.exe, 00000008.00000000.1658567775.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametoggler triumvirates.exe4 vs MNLS4PjscF.exe
        Source: MNLS4PjscF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: classification engineClassification label: mal84.troj.evad.winEXE@3/30@2/2
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00404755 GetDiskFreeSpaceW,MulDiv,0_2_00404755
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_004020A4 CoCreateInstance,0_2_004020A4
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerneJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Local\Temp\nsi71EA.tmpJump to behavior
        Source: MNLS4PjscF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: MNLS4PjscF.exeVirustotal: Detection: 66%
        Source: MNLS4PjscF.exeReversingLabs: Detection: 60%
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile read: C:\Users\user\Desktop\MNLS4PjscF.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"Jump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udgyd.iniJump to behavior

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: Process Memory Space: MNLS4PjscF.exe PID: 7124, type: MEMORYSTR
        Source: Yara matchFile source: 00000008.00000002.2801090944.00000000067E9000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1663798524.000000000A499000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_10002DB0 push eax; ret 0_2_10002DDE
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Local\Temp\nsq8749.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerneJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Skjoldbrusks.MoeJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Galmandsvrks.For231Jump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tiggerstavens.fesJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\StalkinglyJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udgyd.iniJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udtrttede.iniJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\aktioners.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\begrdeliges.proJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\burdie.iniJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\cartographer.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\histographies.txtJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\icekhana.txtJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\manxman.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\modstaaet.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\musicianer.spiJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\ndder.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\romantiserendes.iniJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\semiquadrangle.iniJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\sugarcane.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\OrarianJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\tinkle.jpgJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\unagitatedness.txtJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeAPI/Special instruction interceptor: Address: A5572DE
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeAPI/Special instruction interceptor: Address: 68A72DE
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeRDTSC instruction interceptor: First address: A4F60AE second address: A4F60AE instructions: 0x00000000 rdtsc 0x00000002 test dx, bx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F19C4E4F507h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeRDTSC instruction interceptor: First address: 68460AE second address: 68460AE instructions: 0x00000000 rdtsc 0x00000002 test dx, bx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F19C46F3FF7h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq8749.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\MNLS4PjscF.exe TID: 7156Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_0040276E FindFirstFileW,8_2_0040276E
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_00405770
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 8_2_0040622B FindFirstFileW,FindClose,8_2_0040622B
        Source: MNLS4PjscF.exe, 00000008.00000003.2159944805.00000000077C9000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077C9000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133821085.00000000077C9000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW-
        Source: MNLS4PjscF.exe, 00000008.00000003.2159944805.00000000077C9000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077C9000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133821085.00000000077C9000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807191590.0000000007768000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeAPI call chain: ExitProcess graph end nodegraph_0-4470
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeAPI call chain: ExitProcess graph end nodegraph_0-4474
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeProcess created: C:\Users\user\Desktop\MNLS4PjscF.exe "C:\Users\user\Desktop\MNLS4PjscF.exe"Jump to behavior
        Source: C:\Users\user\Desktop\MNLS4PjscF.exeCode function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F0A

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		11
        Masquerading        		OS Credential Dumping21
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		1
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol1
        Clipboard Data        		3
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		11
        Process Injection        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS23
        System Information Discovery        		Distributed Component Object ModelInput Capture14
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        MNLS4PjscF.exe67%VirustotalBrowse
        MNLS4PjscF.exe61%ReversingLabsWin32.Spyware.Snakekeylogger
        MNLS4PjscF.exe100%AviraTR/AD.NsisInject.vqxpt

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsq8749.tmp\System.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://www.google.comLa0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        drive.google.com
        		142.250.74.206
        		truefalse
          		high
          drive.usercontent.google.com
          		142.250.186.33
          		truefalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.google.comMNLS4PjscF.exe, 00000008.00000002.2807191590.00000000077C8000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://drive.google.com/etMNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://drive.google.com/MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://drive.google.com/ertificatesMNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://drive.google.com/crosoftMNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://drive.usercontent.google.com/MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://drive.google.com/-HMNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://drive.google.com/.h6MNLS4PjscF.exe, 00000008.00000002.2807191590.0000000007768000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.comLaMNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.000000000781B000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://apis.google.comMNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077BE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://nsis.sf.net/NSIS_ErrorErrorMNLS4PjscF.exe, 00000000.00000002.1662395603.0000000000409000.00000004.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000000.00000000.949807130.0000000000409000.00000008.00000001.01000000.00000003.sdmp, MNLS4PjscF.exe, 00000008.00000000.1658548995.0000000000409000.00000008.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://drive.usercontent.google.com/_MNLS4PjscF.exe, 00000008.00000003.1841566562.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.google.com/%VMNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.google.com/TheMNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2313746499.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2159881896.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2287857909.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1970928899.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2133777302.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.1997908071.00000000077D5000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://drive.google.com/LocalMNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://drive.google.com/CMNLS4PjscF.exe, 00000008.00000003.2445006003.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000002.2807345804.00000000077DC000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2470548085.00000000077D4000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2777106329.00000000077DB000.00000004.00000020.00020000.00000000.sdmp, MNLS4PjscF.exe, 00000008.00000003.2444920253.00000000077D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          142.250.74.206
                                          		drive.google.comUnited States
                                          		15169GOOGLEUSfalse
                                          142.250.186.33
                                          		drive.usercontent.google.comUnited States
                                          		15169GOOGLEUSfalse

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1632411
                                          Start date and time:2025-03-07 23:35:54 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 47s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Run name:Run with higher sleep bypass
                                          Number of analysed new started processes analysed:12
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:MNLS4PjscF.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b.exe
                                          Detection:MAL
                                          Classification:mal84.troj.evad.winEXE@3/30@2/2
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 85%
                                          • Number of executed functions: 53
                                          • Number of non-executed functions: 76
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.60.203.209
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                          • Execution Graph export aborted for target MNLS4PjscF.exe, PID 6080 because there are no executed function
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          37f463bf4616ecd445d4a1937da06e19OW1i3n5K3s.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          GBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          g44YQtTyjN.exeGet hashmaliciousDarkCloudBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          2Jq4fZJIJ8.exeGet hashmaliciousGuLoaderBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          GyGE2VaBFL.exeGet hashmaliciousGuLoaderBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33
                                          1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                          • 142.250.74.206
                                          • 142.250.186.33

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\Temp\nsq8749.tmp\System.dllGBYfjUz4a5.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            BtCQu5APhK.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                Steel Sample- QUOTE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  Steel Sample- QUOTE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    Skambenets.exeGet hashmaliciousGuLoaderBrowse
                                                      Skambenets.exeGet hashmaliciousGuLoaderBrowse
                                                        Marcom Trade SS-04665.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse

                                                            Created / dropped Files

                                                            C:\Users\Public\Desktop\Varda.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):33
                                                            Entropy (8bit):4.33197669498491
                                                            Encrypted:false
                                                            SSDEEP:3:U4ooQGRDWh:hooQh
                                                            MD5:340AD700CF73B73EA2313C044D40EA9A
                                                            SHA1:9B90CC3147D140FA936E308C2C320BDC385DA93A
                                                            SHA-256:55A2B8F5EF1D17023FD8245E69830CC961C0CE629EDDC7AC1043C288CB3915B5
                                                            SHA-512:4B31D10B80AE71197AC367C868569949224A4CD542BF0E9C188B816348EC8958F952525F939C827BDDC8610F268DD12E310D6D2FC99071C741B3A38E062542B4
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:[Chocho240]..struct=finkulturel..

                                                            C:\Users\user\AppData\Local\Temp\Alpha.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):47
                                                            Entropy (8bit):4.628848957968553
                                                            Encrypted:false
                                                            SSDEEP:3:YOm45GXQLQIfLBJXmgxv:5TGXQkIP2I
                                                            MD5:B895D576D6637A778B387B2FCA0F56EC
                                                            SHA1:E78D2BE4D94673D612C16D29C330BB0C78778429
                                                            SHA-256:BFEC1E97ED5D34825521D60B98986D1564CD159B4D1F9569EAE4C3464D2F5C47
                                                            SHA-512:B4A771D1B517A2776BA440F79F168306C244DF1A6DE1966313157154D8D52BEAD8131B95F846C2F55C15382E04284FFFC6CF6ABF3F6FCFCB259DF2EA58D769E5
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:[Current]..Ini=user32::EnumWindows(i r1 ,i 0)..

                                                            C:\Users\user\AppData\Local\Temp\nsf8583.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):74
                                                            Entropy (8bit):3.9637832956585757
                                                            Encrypted:false
                                                            SSDEEP:3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
                                                            MD5:16D513397F3C1F8334E8F3E4FC49828F
                                                            SHA1:4EE15AFCA81CA6A13AF4E38240099B730D6931F0
                                                            SHA-256:D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
                                                            SHA-512:4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

                                                            C:\Users\user\AppData\Local\Temp\nsf91EC.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):30
                                                            Entropy (8bit):4.256564762130954
                                                            Encrypted:false
                                                            SSDEEP:3:DyWgLQIfLBJXmgU:mkIP25
                                                            MD5:F15BFDEBB2DF02D02C8491BDE1B4E9BD
                                                            SHA1:93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
                                                            SHA-256:C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
                                                            SHA-512:1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:user32::EnumWindows(i r1 ,i 0)

                                                            C:\Users\user\AppData\Local\Temp\nsi71EB.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2129096
                                                            Entropy (8bit):5.480154099747067
                                                            Encrypted:false
                                                            SSDEEP:49152:vn9caFqd9Dv9YpvkOtFu0mBFmvYFe0m40mD0mbXCP:v9caI9Ypv5twRrgoTU
                                                            MD5:1A31BCE4E868014E605CCB1ED43E6388
                                                            SHA1:C7EA246EB669762AEAE3E64626936ECF9168D711
                                                            SHA-256:A9AECDB8CE4802482940AA6C14C5BD04E2EF983FAE29ECC9197B170518ED5DD6
                                                            SHA-512:4D3EAE0E86E6ECF6369D188A021C71F11E09F682F5EEBBDDF0FA628FE052690ACB7AE4372753221FA6C6E90C592AAD2CE1975E85150D88859B0D74E4E33091C2
                                                            Malicious:false
                                                            Preview:.,......,................................+.......,..........................................................................................................................................................................................................................................G...Y...............j...............................................................................................................................g...............................................................................#.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsl87C7.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):52
                                                            Entropy (8bit):4.0914493934217315
                                                            Encrypted:false
                                                            SSDEEP:3:sBa99k1NoCFOn:KankVg
                                                            MD5:5D04A35D3950677049C7A0CF17E37125
                                                            SHA1:CAFDD49A953864F83D387774B39B2657A253470F
                                                            SHA-256:A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
                                                            SHA-512:C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
                                                            Malicious:false
                                                            Preview:kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

                                                            C:\Users\user\AppData\Local\Temp\nsq8749.tmp\System.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):11264
                                                            Entropy (8bit):5.813979271513012
                                                            Encrypted:false
                                                            SSDEEP:192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
                                                            MD5:7399323923E3946FE9140132AC388132
                                                            SHA1:728257D06C452449B1241769B459F091AABCFFC5
                                                            SHA-256:5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
                                                            SHA-512:D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: GBYfjUz4a5.exe, Detection: malicious, Browse
                                                            • Filename: BtCQu5APhK.exe, Detection: malicious, Browse
                                                            • Filename: GuuQOl5kJR.exe, Detection: malicious, Browse
                                                            • Filename: Steel Sample- QUOTE.exe, Detection: malicious, Browse
                                                            • Filename: Steel Sample- QUOTE.exe, Detection: malicious, Browse
                                                            • Filename: Skambenets.exe, Detection: malicious, Browse
                                                            • Filename: Skambenets.exe, Detection: malicious, Browse
                                                            • Filename: Marcom Trade SS-04665.exe, Detection: malicious, Browse
                                                            • Filename: Hermaean.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsz8F5A.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.52973742089034
                                                            Encrypted:false
                                                            SSDEEP:3:sEMBQEJkJVEjXTQXK5xQoXUn:BXUxvUn
                                                            MD5:D4453567A455B741556C4DE15C9F6446
                                                            SHA1:410FD7474030E724F52D4E30F5F12027CE4869DB
                                                            SHA-256:A1FA0DCDBE660BE838CD82F50BEA1C422988CDD527009F26B4F3DD314106C46E
                                                            SHA-512:45247F2AC6631E83BF7BCC8AD56C775689E8A4A1E18C3355B0A02AE9498854CA71033396C9BD6570833342C6CFAF1C4427D064E8515DA383BBF04A25E347E0EE
                                                            Malicious:false
                                                            Preview:kernel32::VirtualAlloc(i 0,i 98652160, i 0x3000, i 0x40)p.r1

                                                            C:\Users\user\AppData\Local\Temp\nsz9045.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):56
                                                            Entropy (8bit):4.264383994261771
                                                            Encrypted:false
                                                            SSDEEP:3:sAAEVvjsNXKwL84n:fLsXD
                                                            MD5:FFE600086504D94D0E7E2F8A331F5D85
                                                            SHA1:1FB3FA48BFA30F04FC957C05A90C824FDB38F048
                                                            SHA-256:EB6C41469BC87CBE962DB30D4BC3772CC2EDFA9D216E51F5E93A06A51FBAB86D
                                                            SHA-512:42D46FC0C26A4ADC5EEBB4B129378F36CA6A91434D6060B11F22A209F20B840F28681A62C22D751142019F746C131DA16578FB8687C52DE0706E6BCBE51417D2
                                                            Malicious:false
                                                            Preview:kernel32::ReadFile(i r5, i r1, i 98652160,*i 0, i 0)i.r3

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Galmandsvrks.For231

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):38720
                                                            Entropy (8bit):4.559800120228938
                                                            Encrypted:false
                                                            SSDEEP:768:mEnxVfKxpxr2nSuTYOn3SNpkhXQeclp7u6+Y7wNBJ:meVCd2LsOIk+TDuNd
                                                            MD5:69B437B47D51431F4999052D686B3C9D
                                                            SHA1:02ACE3384FFE99470060A7DEE66F123344A47787
                                                            SHA-256:CFC48C38571EAD57A568AA56565B39BF26B0539457EBF70A044133EDCF7EC411
                                                            SHA-512:A43EB73588DFCE4A04E2896EC347E00BCE2F5F145BFCA8D7B2EC99B9E43E5E0165A7A2BC9D333BC1D71396F726A8F2CA0805369D65B0C47121CBEE3A78D42F18
                                                            Malicious:false
                                                            Preview:..........U..$$......R..........ww........`.......jj.......q........................................ss..............P.......000.0.Z.......................2...).sss.............:................................g........+++.W..--.......44. .}}.........2.111..{{..................O.................o...........eee.......***........................~.....5..[[..xxx.>>..j.........<.....(...R..........................~..;..ZZ...............OO................~......3....xxxx.;;;.....c..................... ...Y...::...ii..................].nn.).........nn.7..............11...w................QQQQ.....((..............OOO.(............bb..................|.........?......QQ..................................WWW..EE..##......................bb..................66.9.....AAA.......}.........__...............ee...................w........!................VV..................mmm............Y.yyyyyyyy..............ppp.....```..............................eee.....".::::..PPP....VVV...........h....ee..SS

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 607x510, components 3
                                                            Category:dropped
                                                            Size (bytes):116646
                                                            Entropy (8bit):7.9723106052665536
                                                            Encrypted:false
                                                            SSDEEP:3072:Cq3EK4+CecuNPZ23e6at5JG7QXnv0tD6nI:Cq3PRCeTZ1tspwI
                                                            MD5:2400D62D49391C7874C3DF868B3399ED
                                                            SHA1:F5AF15AAE9EE9BD00F459D67EBBCDB8E48B6D4A3
                                                            SHA-256:C400565DCC08D080953E47902F2946C687C4F814C3BA51E0D4E63E4242112566
                                                            SHA-512:7CE7C0DAA1B222DD67D6292F9FE3A9BDFB0782C790D817C0B4B348B8D8AB7B5630D8DBFB953ED55093DFB2DCABF8FBB257A4ED666B2145D8946E0D2C082DB70B
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........_.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...gG..(..;..n.%`...2w.~.V.5...D...U........$..r|.>....Y=..c8...Ae...V.....i..H.....Z....7b.1.........mm...F.A...A.....L..'m......[f.U.n.......jZ.p.....-..A.'....R.1TP....=*K(.x..r..[....I..z".[...#..[qV.d....oh:].nd.XY...H....s.L ......K. .;.3..-...9dR.@7..V.|}...|..Sk.c..eP..r.(.....C.V..6.^.4.S..[...}.i.nd.....R....=O.>.n^1.A$..P7.'.?QY...I]..........B.X

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Skjoldbrusks.Moe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):439122
                                                            Entropy (8bit):7.092576485156292
                                                            Encrypted:false
                                                            SSDEEP:12288:vnLQmOSHmgIcmz2F9U1fLjtPNpTZh9Ys8IeG:vn0uHBrmaF9U1f3NNp9h9YpvG
                                                            MD5:1CBF6CC43016032CFCCB35CCFA3ED06F
                                                            SHA1:1B7554E0945B28AAF2B7C872EE9727C40E2F2211
                                                            SHA-256:65FCE8874CD3297D1FAD0BD26093EC26A392D068F1372E963BFF2F5A5F705B88
                                                            SHA-512:0C13854187B62E62BF9E61F1060B7F823EEA7D6C5C28ADC3410FDD6EA15906B369EA613183C5C3F6226E6C895FF0830E222C138014BED83423854677D2571595
                                                            Malicious:false
                                                            Preview:.........................................CCC.......BB...P.................___..H.......................w.......>>...................UU..ff.........OOO......w...............................""................................q........N......))..i.JJJJJ...u.++.......^..cccc......JJJ..1........................KK................................LLLL...........K.>..........C..........kkkk............jjjjj...........}}}...........9...uuuu.dd.a....ii................uu....\\\.........}.................QQ......PP.....%........***......[[..((................................................F........iiiiiii..VVVVVVVVV...............................................9..GGGGGGG..^................<."".....0.........|....A...............p........,.BB.........QQ.......................VV..++.............kk.........z.TTT...........I............................gg........''................___.....HHHHHHHHHH..............T.....||||...NN.2222..........''....jj.*..........555.............qqq..$$$...... .%%.......

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\tinkle.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 670x109, components 3
                                                            Category:dropped
                                                            Size (bytes):10701
                                                            Entropy (8bit):7.839639743360956
                                                            Encrypted:false
                                                            SSDEEP:192:Lzr3FqEXWDs3kosNACUJ2PDTHjHzCM4guHBTGgAuihMBvUjhIaRTHO:3r3FqCd3Bsy1IPDTDebgkTG1XNHO
                                                            MD5:6AB549CF24DE4802D3806218FDC48906
                                                            SHA1:DADA9FCA4EC7121494CC70B3E7A2018E0F8116CA
                                                            SHA-256:D484ED1BD415EC1F924CA80A2B8EBD60FF02998A3AD3028145C75900F51F19DF
                                                            SHA-512:FDB7BD49B53E243FBDD3FF6613BDC0F47E6ACBE378EC9599263393B121395DCA0B23D978B7029F058B5AEBE4264EB356C945C0EB1AB00B3D6A3E75EE6D4D8651
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......m...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..vQ.......Olf.6.Q....z~.....?:6.j.....m.E..F.q..........q.?:.....q.)v...qK.."...(......J.....[.G.G....t.1@....I.../.N.....{..K..U......$....G...~b..0(..S.....B..#...T..b.........W.K..F(..X..~ty_..N...........Y..~t.Q@.....O..3}.~&......>...5*...H...(.....~t.3....qF(.l..i.:6...b.........xS....h..h...6..-&.....-........`.....bm.......Rb...uqL.........c.....h

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Orarian\unagitatedness.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):355
                                                            Entropy (8bit):4.365173801202148
                                                            Encrypted:false
                                                            SSDEEP:6:a33GWsurYzIbhGvPiUWrFArTWzgVJ86CcE6LpA6rMrLGbGVPoHknd3TFKA8iWFzK:amN9C0vPQqrqsj86Cck6kVPoEnFweWKp
                                                            MD5:52728264A79BB126BC05A9339A806437
                                                            SHA1:031F624DC90E451583A740F03B0432F63FB472DE
                                                            SHA-256:8D23AFDA0BB6BFD4399AF4AEBFAA8196644DCD468D1E6705C2388E7DB49F8D4A
                                                            SHA-512:EFC41C3E278119CFEDBC039153FE6374C5DB4DBD95E10969768115EFA463D9E38CBC0C3DC2469D200C775AF7851E4B77AB4AE63B5456E4DE996EB21A94903519
                                                            Malicious:false
                                                            Preview:Vekselrytterne kolostomi skamskndede ufortrdent stableman unisolate fancical..[shrouds brasekartoffels]......aftagere afterband rituel.Limiterede corregidors vgtningen debouches caribed entopic bankkredit dopey hjemfrsel..;karaktertrkkene venulose snadret angelikas heroizing nitrosyls.Remonteres interesseomraader moslings propolsserne dilution refulge..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udgyd.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 666x357, components 3
                                                            Category:dropped
                                                            Size (bytes):34271
                                                            Entropy (8bit):7.9659073424878555
                                                            Encrypted:false
                                                            SSDEEP:768:4WE6omjLoyBWuDNGNceCXyQezdhoMB8q+ljUsYU1xhbU3vCH:4Uom4yBhmQi7eK8q+lpJRUfCH
                                                            MD5:868F1BE25FA5F82DE53C0CE9EA030CA3
                                                            SHA1:ECA9A135448D5C0F613209FF3516CAE3716BF0E3
                                                            SHA-256:5FD97F664356EE61E6182C19DC0AF76318B4AA9AF75D674F11EB45DEF3D66526
                                                            SHA-512:6A67BE639F4A4A8A24587ED6B1D67F276F41BC750B0FC74C49A69FF9293F57ACAE6DEF3423C8DF06805A1BB7CE894F4359510B3A27E2E1F388D065A618479E21
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......e...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j\R.zq]G(...z......Hi.."..E.....G.J..P..)..P.h&..L{P..r..I.;RP .R.\.]....Fh..P..b....8b...A=...4..E...\P)(.v4..4dsI.h..-..R..q.))....M..i...(.A.P.b.)2(......)E....{.G4...(.`..SE:.0..R.@...9F.-...)z.GJ^.....Z..h.4.h.i(...(....../Z)q@...ZZ^....ZP3...-.{..Z.3G..P!..:../.0.y..K.ZhCE....Z.%...E.7.`R...r>..LQ..6......j..?......&)6..O.=.q..4.1..zPE. ZO.Gj.7.Q.u.

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\Udtrttede.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
                                                            Category:dropped
                                                            Size (bytes):78838
                                                            Entropy (8bit):7.9645085314331405
                                                            Encrypted:false
                                                            SSDEEP:1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMp:I55e/pVQIhrqKusGkmkPnNYhX2R
                                                            MD5:C994CB2032DBA92B7E631171678EC43D
                                                            SHA1:E206DF32EA7F37FA26075E0456786E138AC27AE1
                                                            SHA-256:3D6B9E81DA6DF4A9432CDB4168EE8F8B26CC88E47FDB9BB8A6D967FB1AB241E3
                                                            SHA-512:E444152150B4C1007FA96AA079E41D959A5A48D00D9F1D9AC15321B646F7CF4000D43825DF25EF7D69275A3CA86C029E8862AF07F873A8375B1EAAE5280A4F13
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\aktioners.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 666x357, components 3
                                                            Category:dropped
                                                            Size (bytes):33760
                                                            Entropy (8bit):7.967017042537166
                                                            Encrypted:false
                                                            SSDEEP:768:4WE6omjLoyBWuDNGNceCXyQezdhoMB8q+ljUsYU1xhbU3vCW:4Uom4yBhmQi7eK8q+lpJRUfCW
                                                            MD5:B79A2EC8152E04C3DF16B5DF803ED841
                                                            SHA1:4E8FEE2ACDA813B8D6F12FF1B2B9BEDA769C05BD
                                                            SHA-256:584DC6A4106CFB60A2794937921B3B560F398558B482D5C24A1ECFB997EBEA9D
                                                            SHA-512:0DFB2B2FA92EB11B60C87D272B6B2EEA14DC2E05D53048C445772D6249F3635BBD1EE7B663F9F670FCD06C50C71839323BF2325CAEECBD9AD7D182E5733C3488
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......e...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j\R.zq]G(...z......Hi.."..E.....G.J..P..)..P.h&..L{P..r..I.;RP .R.\.]....Fh..P..b....8b...A=...4..E...\P)(.v4..4dsI.h..-..R..q.))....M..i...(.A.P.b.)2(......)E....{.G4...(.`..SE:.0..R.@...9F.-...)z.GJ^.....Z..h.4.h.i(...(....../Z)q@...ZZ^....ZP3...-.{..Z.3G..P!..:../.0.y..K.ZhCE....Z.%...E.7.`R...r>..LQ..6......j..?......&)6..O.=.q..4.1..zPE. ZO.Gj.7.Q.u.

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\begrdeliges.pro

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):271048
                                                            Entropy (8bit):1.2501527383190683
                                                            Encrypted:false
                                                            SSDEEP:1536:J3Cc9bXL6XUITHsHuh6mYsN8xVvBPJggd0Q96LJe24TSewHt/z1tIwt8iWoImuhr:JGU5Q+7bgfC97p
                                                            MD5:4CDDE62E05107CF3BAD9767453F364D5
                                                            SHA1:8C3990C82C3F9C0ECECCFC2E878F00B674556E6E
                                                            SHA-256:80EFA0744FB280C29C700886A6CD158053D0BE9C2D87F445A76C6DEA410B774B
                                                            SHA-512:A3C64E4B4DB6AEA45756BFB1C2BED5F7CA19549DE8C2D095F320DB8BC8589B01E356D033D6073CBEED9B56EDA1939BEB98E727382F5396EA3E50079125B19451
                                                            Malicious:false
                                                            Preview:........................@..................._...........................................................................................................................................-....v......R...............B..E.........................................................................7............................u.........................................................g...(..........i........j...................................................................]...c.................................^.........t..........................a............................................$................................_.........................................................U.....T............................................B.....h.....7.................w...................................................................n/..........&..............'...n......X....................Y.............................................m.......................................W..................w..!....

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\burdie.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
                                                            Category:dropped
                                                            Size (bytes):19024
                                                            Entropy (8bit):7.941019032399731
                                                            Encrypted:false
                                                            SSDEEP:384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJh:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJh
                                                            MD5:E9772CD90D72A4F4AF0401E7BFBA7BBA
                                                            SHA1:45DEEC11D8CE16E3DF98F6E3AC23A6B647A81535
                                                            SHA-256:53BB5626BC226D0E476A35645C2D720C1056ADFBB23DAEB5923E9264540259B9
                                                            SHA-512:BA2E24D412C69D2B1EBAEDBF5B7AC0F94544A3E9C42CDE2FB13C456217B6B0449024086D78C72F8B7C4EBA35622C56623919F64CE408471028E0A5DC6E206027
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i....*...J..}.t..*.t....4..*A...|....U:.~....)......[Q.f.....K.<.0.9.*D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\cartographer.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 203x671, components 3
                                                            Category:dropped
                                                            Size (bytes):30956
                                                            Entropy (8bit):7.969499868102271
                                                            Encrypted:false
                                                            SSDEEP:768:ofYXJ6hCAlkicSla3FFc1VQC2NOF1Nuse5wExZ50vn:oQalrlaVC1uClF1NuTT5Mn
                                                            MD5:C9D3CCBEBDAFAA919122541A202A9733
                                                            SHA1:F81641E686DE3B8C884971EC5DA65D8CF4BB4D3F
                                                            SHA-256:5FDB8BED6E957D3399EC0D8A30934F1E0B2A4C5880A6EC8DF43F786BAA32A96C
                                                            SHA-512:F16B4DC339F4943E19408F386C376C50A4DA42E6DB1241EAB90B8596AF701F75421B87A1AEA10835467A3900E29E2611943DC9B89FDFAAC3E46D0546BFA83A7A
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..0..6..#...(.8o+'.:.l.H.FN...... ...$.i..$-....%.q.Gj.9......O .......)...'.....f.\lG..u..>....Q....o.hC..R.FF.C..#m.k......@c.0.OA....]..r...rel.B.S....k.......Y....?xjd.X....oT5.5...t....L.5.."6g.u.*M..V.O.....Jm..Rh....0..l..kO...U.\[.-.T.5.Y.]..R.>Q.....w.5.......![q..4.O.X'..i.G..?..a..jK5.+.b. ..^.%..qQ..T...(.GsL..N..L~...\.-.......}z.\i.q@^...R{

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\histographies.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 666x357, components 3
                                                            Category:dropped
                                                            Size (bytes):34638
                                                            Entropy (8bit):7.9628416848799
                                                            Encrypted:false
                                                            SSDEEP:768:4WE6omjLoyBWuDNGNceCXyQezdhoMB8q+ljUsYU1xhbU3vCL:4Uom4yBhmQi7eK8q+lpJRUfCL
                                                            MD5:5A1AD1096F97C0E2239684846D247918
                                                            SHA1:2885227167F0780AED630077007401989AFDDAEE
                                                            SHA-256:C2C9EE1D315D2D076FAADFDECF060E59877B621385A7825EDBA473BE85CCBF7F
                                                            SHA-512:2740807D4DCDB5D2CE786488047360225EC7DED2B84A215CCE00DB25E67C2A9B5C9C3E0593BA35F8E48D937E3104FFD97C3B034471639F88D3119F9B9C62B36B
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......e...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j\R.zq]G(...z......Hi.."..E.....G.J..P..)..P.h&..L{P..r..I.;RP .R.\.]....Fh..P..b....8b...A=...4..E...\P)(.v4..4dsI.h..-..R..q.))....M..i...(.A.P.b.)2(......)E....{.G4...(.`..SE:.0..R.@...9F.-...)z.GJ^.....Z..h.4.h.i(...(....../Z)q@...ZZ^....ZP3...-.{..Z.3G..P!..:../.0.y..K.ZhCE....Z.%...E.7.`R...r>..LQ..6......j..?......&)6..O.=.q..4.1..zPE. ZO.Gj.7.Q.u.

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\icekhana.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
                                                            Category:dropped
                                                            Size (bytes):78312
                                                            Entropy (8bit):7.965760163563921
                                                            Encrypted:false
                                                            SSDEEP:1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMo:I55e/pVQIhrqKusGkmkPnNYhX2g
                                                            MD5:B53488FB78817ABDEA984B799B644E71
                                                            SHA1:B52C3F0461B2D4827634B17A8456FE0EEACCF166
                                                            SHA-256:37E2971FE0FE1B8F445A2D90CFEFC40A614C09F04D4269DC0E39131714B71644
                                                            SHA-512:817F53CAA92582CE9F070493836EF6E925CCDFECA064C3CD8ADFFF1124542D61ED2F2DD2ABBCFC46F7CA700A43710EA78440BD16092AC41EA59D90C7E2BB13EC
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\manxman.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 100x236, components 3
                                                            Category:dropped
                                                            Size (bytes):6266
                                                            Entropy (8bit):7.934604994452403
                                                            Encrypted:false
                                                            SSDEEP:192:LageUe3z8q30+rTymq37MvDe0QQCtvOdjxvIqwgOdTsx3W:OQeJ3trT1cMvD2jvO7vIqwgOdTaW
                                                            MD5:D154965D450CABB2873570BBB6BCEE1F
                                                            SHA1:B69F899F37D407E34F7391B278C08140F22A8D4F
                                                            SHA-256:8EAF9B50CE1AE80F9A033C88D393FABFF9033E1D8485B411594889DD23AEEB48
                                                            SHA-512:6483603905A6B6566F45C7F26EFC549D371A96DEFD57B29DD96AE8890EE481964C9E682A1077AEFC8D10F8366FADEAFE9FC0DE12477D0265C70D3BC629E53B3E
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..a..;z..6+.H.5$.o\.....h..vc.^.c..2...d..f...S....>..$..y8....<q...O:Z.,.$s..e..b.0...\.v........:.Y"9.z...9.\....aV.T....1U$..KcD.....9..G..e...........H#.?....S..+..hW..x.......1.T...6s.....;h.ym ..4*..2E..V2I=...7w.t,UD...Z.9..V<.$.=j.d...zc.J........x.J.4y ....X.A...PH.~S.Kn.I...1;....pOJEr$a.r8.......4.D...s..ZRf.b..$...O|..3ax..WE;..?Z....<t8....

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\modstaaet.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
                                                            Category:dropped
                                                            Size (bytes):77820
                                                            Entropy (8bit):7.966308391338044
                                                            Encrypted:false
                                                            SSDEEP:1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMz:I55e/pVQIhrqKusGkmkPnNYhX2r
                                                            MD5:69FAD6C6022F82800FD9AA55EAFF43DF
                                                            SHA1:C34951D82990B356BCB2CAE1B24690AAA9A558AB
                                                            SHA-256:D765417E77F1604852B08BF8E3FC78B08DB3947AE0456B7DA5A7E272D83B1426
                                                            SHA-512:324D713ECDE5AAFCEE49721D65936E3B8646F482521D971059E4D90908EAAA0CD7F0FE47159529935C3589F5892AB9F930AE74630EDBECC81CC68B7FC5FBA227
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\musicianer.spi

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):252988
                                                            Entropy (8bit):1.258435768634305
                                                            Encrypted:false
                                                            SSDEEP:1536:Ffup5V9mQ4FqyWKrbCGsV2kLUY+mvKDFHHe4w/Lm65l32C+8zQNrpQJu0jx23uf5:1lMpKEfpd
                                                            MD5:E19F0FF07EFE63E8B30B92E64C3279C1
                                                            SHA1:7855F6FBD8FC96F485B4140A85A4D5CBD31F1AF9
                                                            SHA-256:4CE892AA1B8B8CFFC9835C703FABC69087F82490FB46E889D6C07280DCE64E03
                                                            SHA-512:030264903EFB58841058997648E112F3AC89EE4D9EA038D96F1CD132A59B2B0A3D6BCB4DD99DA62279835408453F84CF3AF492E1D53910C8AE29CCE386E2D5CB
                                                            Malicious:false
                                                            Preview:......................g........................P.......<.%}...........s...................Y.........M........................D.......................R...............................^............................................................................\.......................................................................................i........}.....j............%...........................................d.................._..............................Q..........................................@..............................................o...................;...*..?..........g..................................................................................................................................*.....X.................`.....%..............[.....Q..........2.`.................................."L................................v................(..............-...................................................................".......................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\ndder.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 253x460, components 3
                                                            Category:dropped
                                                            Size (bytes):9249
                                                            Entropy (8bit):7.859769804343658
                                                            Encrypted:false
                                                            SSDEEP:192:Lg3GVbPdwh/TkYJFxFd5Ynr9rwP8eiJnuLq6dIUfvF3g5/S+4DHEk:k3GVbPdSwYJn5Yr9rNJuLq6d1nF6S+4F
                                                            MD5:99568CF7EA7AB982BEBEC6E8C9736699
                                                            SHA1:656B55183279F357ABE336F6359C4AEDB5FB4AD6
                                                            SHA-256:B9FCD205A8B2A819D6774B0F217334C24E508A02BA504D24CE3438C17AAE630A
                                                            SHA-512:C7408A24197C4BF2B14C3AD43840851EB14325E60490998E1625FEC3CE538CB8B4EC1C9A71836990E0EB4EE922040217EC0989FD6E6D4F5BC4FCC3F3FDA0FB10
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..*JZJ.JZJ(.h...QE%- .(...-.P..E%-&..i..i..J(....Q@.KHh......BR.JQ@.V..E......%8.h...i.2..4......K@.KE..R.R....Q@..QHh.E- .4.Zi.f.i......(4Q@..)i(...JZ.)E%(.@.-IQ.Z......{S(...*N.....%.S...Z(...(..............Q@..Q@.%-%..(....(4.JJZJ....P..AK@.Z.TKR..1..GR5Fz.4....z.1.RR........(...ZJ(.h..@-....);.J.(...-%-%.-..C@.4.)(..ZJZ.QKM...$.".B.Z.b.J...Fh.S.Z.ja.h....e.E.P.E.P

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\romantiserendes.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 564x766, components 3
                                                            Category:dropped
                                                            Size (bytes):79085
                                                            Entropy (8bit):7.963718594699245
                                                            Encrypted:false
                                                            SSDEEP:1536:0aI5v5+r/WGPIAVQIhrVMZXPizutOFGlin5ZSk2iFJNfgJSYrLfEXWMn:I55e/pVQIhrqKusGkmkPnNYhX2P
                                                            MD5:48951E338D32805997DA47E7122CA34C
                                                            SHA1:FB7A57BEAAC5B15E081DCF5A54947107FB9DF9C0
                                                            SHA-256:62D4D8C14C5BC21B8FC7BAC1BC1C8A272404C5516871E574D9E65EEF00787D11
                                                            SHA-512:7BC3831B4274EB53F5F40C59C41456C35005FEFDD486774DA41287EA46CC33E2858C0DAE2BBE9FD12EB63BD7BA8460D8B184AB316340B45E90C939821B92D2E7
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........4.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..lY.C.v.J.).6...{S.)+.k......%.3..=k@J#.+29Da@.J..c.YJ.n...3....E;.P...v...{..&nJBO.......'......<.cT.j..[....q.d.....8<...)...Y..d.c.......tV7....\..X.;..x.kG(<W....:.4.H.[..$|r{T7..9W=..h.=+[{....+. .F8.>&_.....z.....T!tL.f<.3..4..$.5.,....N.vr7...+.......sZp.#..Y.....O.;..r.gTc..E.k.{u5.....U....E:.5p.z..j.O"3....*..f..+.d.3U..u<qE:.;..$.X.....D.....M

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\semiquadrangle.ini

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
                                                            Category:dropped
                                                            Size (bytes):18366
                                                            Entropy (8bit):7.960531856269744
                                                            Encrypted:false
                                                            SSDEEP:384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJ0:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJ0
                                                            MD5:D0B061FE143A45224AF28C219D85EC29
                                                            SHA1:98EC46FB584AFFF14AB2B9D8DBD914C2F82DB58B
                                                            SHA-256:DDD6D841667588C40373273F4ACE25CD8E25C527BC4B15160A4BD95D5F5F859A
                                                            SHA-512:D6035392C1E6D28B01CF4AD9025E9E43B64CAAD772B6FBF2F0D239CDC5F2B1DB3266DEAC88DC73B3C443D8755582E9E99B86642BE67E693447B5B70E79116A48
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i....*...J..}.t..*.t....4..*A...|....U:.~....)......[Q.f.....K.<.0.9.*D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Stalkingly\sugarcane.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
                                                            Category:dropped
                                                            Size (bytes):17926
                                                            Entropy (8bit):7.964086895083405
                                                            Encrypted:false
                                                            SSDEEP:384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJy:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJy
                                                            MD5:226BA095D6E35AE7575FF844DA0C0293
                                                            SHA1:D50131B137CAA1464076A0F6B1AB1ADA6E99234E
                                                            SHA-256:307B12DABB919A69383409A5064E70DCD0CD4903C9E94814D10C540312F0BE73
                                                            SHA-512:3BEC4961D0682F6ECA723A8838DB446F5152C34D82B9EEE7CE2B80724F63BAB6D4A3BE0C0B5418E7831F04AD8236697B7E4820ECE601878471AAA2184488121A
                                                            Malicious:false
                                                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i....*...J..}.t..*.t....4..*A...|....U:.~....)......[Q.f.....K.<.0.9.*D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tiggerstavens.fes

                                                            Download File
                                                            Process:C:\Users\user\Desktop\MNLS4PjscF.exe
                                                            File Type:huf output
                                                            Category:dropped
                                                            Size (bytes):458176
                                                            Entropy (8bit):1.246204574944222
                                                            Encrypted:false
                                                            SSDEEP:1536:xRWO2EIpW61fXKYiZAiYUQZF4Ce2spug3ZcCQy0kTwxdwBl9qiJsuQKSA4o6LOzv:seFwClmyQzweu
                                                            MD5:F507FD73B5683DFB9ECE04A486CF8E21
                                                            SHA1:171A7FF1F5C92A75FF2787021BA6750FEF68213F
                                                            SHA-256:9AEAFCD46AA3D1B660FB1A3A8F10C21D28C80A50BF37A23D9ECA444A51557065
                                                            SHA-512:B6124C979EF1DC6946F95EACAA369E4EABB9B0E32781197A8A2686FA2FEDB69B123B274EB19E82E4AD781FB49D6F74A96E1B38C147C7AC163C5430DD084C7D2F
                                                            Malicious:false
                                                            Preview:....................................................................................................<....................q.......................u....c............................................................C.....k..................................#..............P......k............N...............I.................................................S!...........................................................Z...........u.................m...........................................................................)..............................................................................8..................................................................p............................D....u........................................G...............[...$.......~............E............t...........1u...........................................................................................................].............................4.....................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Entropy (8bit):7.956197504044966
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:MNLS4PjscF.exe
                                                            File size:883'660 bytes
                                                            MD5:7730242b95171f0ccb03e28bf8f5056b
                                                            SHA1:a5348671e4b92b3c64086abe6fced83f251e692c
                                                            SHA256:2baf2894d28fffff439499fbcd6b92714febd8ea39c0850f60f4575adedef15b
                                                            SHA512:74a89a765c1d138b3e9c90a0cbb3768ded91ceb7140d99b97b8aec2392e88e58d3b46a657db6738f8effa59743ae6e4eab19bc264944273adaa7543dfab9626c
                                                            SSDEEP:12288:Zt1Y3a5Pi5kV98nWGjFxN1bIyPA2lKZ7SimXcL9WIoXygi+VIfX+SPA4c5Wj6wnM:VY0Pi5kId5F55lc7zmXcLEr9t4UkM
                                                            TLSH:1A1523005BDD8666EAE521B36D7381AAC3779E968553820F5F443F7B3C342B184A32DB
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....f.R.................`...*......X3.......p....@

                                                            File Icon

                                                            Icon Hash:a5d56872428d9074

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x403358
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:e221f4f7d36469d53810a4b5f9fc8966

                                                            Entrypoint Preview

                                                            Instruction
                                                            sub esp, 000002D4h
                                                            push ebx
                                                            push ebp
                                                            push esi
                                                            push edi
                                                            push 00000020h
                                                            xor ebp, ebp
                                                            pop esi
                                                            mov dword ptr [esp+14h], ebp
                                                            mov dword ptr [esp+10h], 00409230h
                                                            mov dword ptr [esp+1Ch], ebp
                                                            call dword ptr [00407034h]
                                                            push 00008001h
                                                            call dword ptr [004070BCh]
                                                            push ebp
                                                            call dword ptr [004072ACh]
                                                            push 00000008h
                                                            mov dword ptr [00429298h], eax
                                                            call 00007F19C4B2430Ch
                                                            mov dword ptr [004291E4h], eax
                                                            push ebp
                                                            lea eax, dword ptr [esp+34h]
                                                            push 000002B4h
                                                            push eax
                                                            push ebp
                                                            push 00420690h
                                                            call dword ptr [0040717Ch]
                                                            push 0040937Ch
                                                            push 004281E0h
                                                            call 00007F19C4B23F77h
                                                            call dword ptr [00407134h]
                                                            mov ebx, 00434000h
                                                            push eax
                                                            push ebx
                                                            call 00007F19C4B23F65h
                                                            push ebp
                                                            call dword ptr [0040710Ch]
                                                            cmp word ptr [00434000h], 0022h
                                                            mov dword ptr [004291E0h], eax
                                                            mov eax, ebx
                                                            jne 00007F19C4B2145Ah
                                                            push 00000022h
                                                            mov eax, 00434002h
                                                            pop esi
                                                            push esi
                                                            push eax
                                                            call 00007F19C4B239B6h
                                                            push eax
                                                            call dword ptr [00407240h]
                                                            mov dword ptr [esp+18h], eax
                                                            jmp 00007F19C4B2151Eh
                                                            push 00000020h
                                                            pop edx
                                                            cmp cx, dx
                                                            jne 00007F19C4B21459h
                                                            inc eax
                                                            inc eax
                                                            cmp word ptr [eax], dx
                                                            je 00007F19C4B2144Bh
                                                            add word ptr [eax], 0000h

                                                            Rich Headers

                                                            Programming Language:
                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x5040.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x5e660x6000e8f12472e91b02deb619070e6ee7f1f4False0.6566569010416666data6.419409887460116IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x90000x202d80x600a5ec1b720d350c6303a7aba8d85072bfFalse0.4733072916666667data3.7600484096214832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x2a0000x230000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x4d0000x50400x5200b2da62e34b8c62c487b136a5434db933False0.17844893292682926data2.8674367335879127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x4d2980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.10197095435684647
                                                            RT_ICON0x4f8400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.17659474671669795
                                                            RT_ICON0x508e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.21598360655737706
                                                            RT_ICON0x512700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2703900709219858
                                                            RT_DIALOG0x516d80x144dataEnglishUnited States0.5216049382716049
                                                            RT_DIALOG0x518200x120dataEnglishUnited States0.5138888888888888
                                                            RT_DIALOG0x519400x11cdataEnglishUnited States0.6056338028169014
                                                            RT_DIALOG0x51a600x60dataEnglishUnited States0.7291666666666666
                                                            RT_GROUP_ICON0x51ac00x3edataEnglishUnited States0.8064516129032258
                                                            RT_VERSION0x51b000x238dataEnglishUnited States0.5422535211267606
                                                            RT_MANIFEST0x51d380x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                                            USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                            ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                            ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                            Version Infos

                                                            DescriptionData
                                                            FileDescriptionvignetted
                                                            LegalCopyrightdommedagsprdikenens johnnis
                                                            LegalTrademarkskodes
                                                            OriginalFilenametoggler triumvirates.exe
                                                            ProductVersion3.5.0.0
                                                            Translation0x0409 0x04e4

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-03-07T23:38:24.728131+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.949690142.250.74.206443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 7, 2025 23:38:21.885956049 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:21.886020899 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:21.886110067 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:21.895350933 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:21.895368099 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:23.916640997 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:23.916773081 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:23.917457104 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:23.917570114 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:24.039989948 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:24.040019035 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:24.041148901 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:24.041218996 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:24.044802904 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:24.092333078 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:24.728116035 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:24.728260994 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:24.730617046 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:24.730737925 CET44349690142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:24.730806112 CET49690443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:24.770193100 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:24.770246029 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:24.770313978 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:24.770586014 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:24.770600080 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:26.742193937 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:26.742276907 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:26.746409893 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:26.746427059 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:26.746725082 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:26.746783018 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:26.747359037 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:26.792327881 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:27.487162113 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:27.487209082 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:27.487360001 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:27.487391949 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:27.487504959 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:27.489983082 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:27.490041971 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:27.490078926 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:27.490181923 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:27.501734972 CET49691443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:27.501773119 CET44349691142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:37.517446995 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:37.517502069 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:37.517571926 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:37.517898083 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:37.517910957 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:39.686970949 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:39.687117100 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:39.687756062 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:39.687833071 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:39.690896034 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:39.690912962 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:39.691167116 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:39.691230059 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:39.691699028 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:39.732331991 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:40.423940897 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:40.424014091 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:40.424060106 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:40.424129009 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:40.425729036 CET49692443192.168.2.9142.250.74.206
                                                            Mar 7, 2025 23:38:40.425748110 CET44349692142.250.74.206192.168.2.9
                                                            Mar 7, 2025 23:38:40.435286045 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:40.435319901 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:40.435383081 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:40.435626030 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:40.435637951 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:42.245260954 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:42.245388031 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:42.246012926 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:42.246021032 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:42.246205091 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:42.246208906 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:43.124628067 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:43.124686956 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:43.124845982 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:43.124867916 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:43.124968052 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:43.124969959 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:43.125058889 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:43.126919031 CET49693443192.168.2.9142.250.186.33
                                                            Mar 7, 2025 23:38:43.126939058 CET44349693142.250.186.33192.168.2.9
                                                            Mar 7, 2025 23:38:53.144347906 CET