Edit tour

Windows Analysis Report
employee record_pdf.bat.exe

Overview

General Information

Sample name:	employee record_pdf.bat.exe
Analysis ID:	1632165
MD5:	d00a5d4d5c3e9d9b767608fcc6f7aded
SHA1:	3cb85f4f53c98a37636c3d0ece582d4f5abb9be0
SHA256:	f23bf9e69da8ae73fc237cd65ee954f30ac1f9f009915a50252d3085b47e71dd
Tags:	batexeRemcosRATuser-abuse_ch
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

employee record_pdf.bat.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\employee record_pdf.bat.exe" MD5: D00A5D4D5C3E9D9B767608FCC6F7ADED)

employee record_pdf.bat.exe (PID: 344 cmdline: "C:\Users\user\Desktop\employee record_pdf.bat.exe" MD5: D00A5D4D5C3E9D9B767608FCC6F7ADED)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1349286382.00000000097C8000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000008.00000002.2122120011.0000000003F98000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:12:39.812705+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49688	188.114.96.3	443	TCP
2025-03-07T20:12:42.456670+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49689	188.114.96.3	443	TCP
2025-03-07T20:12:44.994159+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49690	188.114.96.3	443	TCP
2025-03-07T20:12:47.484768+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49691	188.114.96.3	443	TCP
2025-03-07T20:12:50.154074+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49692	188.114.96.3	443	TCP
2025-03-07T20:12:52.585763+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49693	188.114.96.3	443	TCP
2025-03-07T20:12:55.202047+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49694	188.114.96.3	443	TCP
2025-03-07T20:12:57.640489+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49695	188.114.96.3	443	TCP
2025-03-07T20:13:00.570563+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49696	188.114.96.3	443	TCP
2025-03-07T20:13:03.195878+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49697	188.114.96.3	443	TCP
2025-03-07T20:13:05.851008+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49698	188.114.96.3	443	TCP
2025-03-07T20:13:08.230734+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49699	188.114.96.3	443	TCP
2025-03-07T20:13:11.903140+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49700	188.114.96.3	443	TCP
2025-03-07T20:13:14.660669+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49701	188.114.96.3	443	TCP
2025-03-07T20:13:17.243044+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49702	188.114.96.3	443	TCP
2025-03-07T20:13:19.989871+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49703	188.114.96.3	443	TCP
2025-03-07T20:13:22.506953+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49704	188.114.96.3	443	TCP
2025-03-07T20:13:24.942595+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49705	188.114.96.3	443	TCP
2025-03-07T20:13:27.500464+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49706	188.114.96.3	443	TCP
2025-03-07T20:13:30.268659+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49707	188.114.96.3	443	TCP
2025-03-07T20:13:33.417800+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49708	188.114.96.3	443	TCP
2025-03-07T20:13:36.083891+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49709	188.114.96.3	443	TCP
2025-03-07T20:13:38.736479+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49710	188.114.96.3	443	TCP
2025-03-07T20:13:41.214140+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49711	188.114.96.3	443	TCP
2025-03-07T20:13:43.865981+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49712	188.114.96.3	443	TCP
2025-03-07T20:13:46.648052+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49713	188.114.96.3	443	TCP
2025-03-07T20:13:49.369086+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49714	188.114.96.3	443	TCP
2025-03-07T20:13:51.984245+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49715	188.114.96.3	443	TCP
2025-03-07T20:13:54.385094+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49716	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: employee record_pdf.bat.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://chneiu.icu/qZzaQfFD/epGfV132.binI	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.binl	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.bin%	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binl	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binf	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binstC	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binnp	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binm	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binnU	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.bin32	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.bin7	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binU	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binp	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.bin	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binnB	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binn%	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/5	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.bino	Avira URL Cloud: Label: malware
Source: https://chneiu.icu/qZzaQfFD/epGfV132.binn	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: employee record_pdf.bat.exe	Virustotal: Detection: 62%			Perma Link
Source: employee record_pdf.bat.exe	ReversingLabs: Detection: 52%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: employee record_pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49688 version: TLS 1.2

Source: employee record_pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_00405E7C FindFirstFileA,FindClose,	0_2_00405E7C
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_00405438
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_00402645 FindFirstFileA,	8_2_00402645
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_00405E7C FindFirstFileA,FindClose,	8_2_00405E7C
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	8_2_00405438

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49698 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49697 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49692 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49704 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49690 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49694 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49699 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49706 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49691 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49712 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49689 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49701 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49696 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49702 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49700 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49711 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49688 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49714 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49709 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49695 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49693 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49703 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49710 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49713 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: chneiu.icu

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4jKcqJgItIjSC%2FEDqQqdtdLkEGC6gus%2BzhyxcHOftAsrUWuWqWpWm3jBIWfIQTQ2jm6LqdYucOJx7aiih1w%2BKvE9REKFiKpP7WdhH9o7DGW1elIg%2Fj5we5Mf7fbZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc67d74d8c5980-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:42 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fi2ikRVjAWZsTLqx4krcC0nafN23%2BrGtjiDMteQbrb9Fp6C6tPh4lQC0e4kYJMqgkkTWfmZlAhc53okpXPzQYUE9uAwC%2BUCLFUUYWzGucRU04TII%2Fa7IbOPMFLcW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc67e7ffefc98c-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KPXGrBV1WJkTjCyf0rx2Q4boiprYCHdMmY6j%2BGrVz4w9pvJOfYRp9aaRh51rMfr5%2FsRj1J9Rp8euVRgiPWepjq9%2F6nlspAQK%2FXF0wZYoodDMQTWUsUbztEsQrAW3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc67f7fdae1ff7-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cA%2BuARElXoMGesz9xYzYRqdvi4UjTTbKGqsv%2FueGLw45OjLOGp6Nuu6P6ISfjYY3nDU6IFD%2BYMsvzr9IoyqN3BedwOo9nN2UoWmWDVsFak84cPVNTnax7lH6COfj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc68072dc482ce-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i%2BmxGtdatXH0J2lZ4ncbUcIA4mzK4isXMdY7%2FwoJajvJAkpPNMqtXaz2p5IWQ0tWZlYbyAn7VYabk0ylTKWFa0rg6PkT5j0iAICO3k%2FwB4fxAIWnxwyurjPhaCNj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6817de1f9c36-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B4rA8HJincR8bUVDk4U%2FF%2BOfiNEGYhIqol0tyqZL31UEM742e6YIPliXs2v1aaaSLtsKuqd77w2FssH%2FVu0E4yCbeIbj1%2F09rpX4R4vsyekF0wgi0HwPAVoqszmN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc68272cab42fe-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:54 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zcWqq6tCApc%2FUFSHFEe21ugXWc83SX7Bao7OBYdOklVcQl9ZRSs%2BJOm7umVhum9FPUdIDmvDf6YmZHJnJQt8kmRyYBOH04cbyMAwMn%2FDpvzPEwK251ryY7IRQfUW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6837ad83f276-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:12:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=avBkJYX82k38nk9kmmZ2fYV5LsyHUlhZ330%2FDy6hhQSfMNU5IkeBj30%2BylZs0VIDvmakl%2BE8ysosIlo6Wwc6npTlHeDBwKWz4tDeqdMuidZS16MUNN5Ec1CBs4lt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6846883159c1-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBijzQbthNbor3sYE2bO3JvlAcdeyc73eFF3PUiJ69YGKijdORWsssQTIO1dPsJ%2BV%2FoGs7GrT6cCj%2BwDeK7Hsu9jz6eySYr1Cnt3BSka9F3J8k%2BOerbZ8x2UdOzm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6858cd05e608-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91cc6869685ef280-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=00lRkjeBSh852xXfWbLsY5xp0%2BwC8nHHKDCtGFV2h41utT1OYHSURnQ6nTjAPV%2BJRJS4oRx3Uyy7xLDopZNGJL8HJaDKFyjmwyDeJhpc9UjzDYGXOb0FDWuyETLE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc687a0c04391a-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HyHmFgiH1XQtLNUZW9zEsZpXxbyZcWXuA%2BfKygZTAyWyLGtAu5rkGRXVL107P9SAKLjw1VYM8i%2BZdpE6Mdbk0zESyi%2B0LJRSfDUMwVb4h85Arb0ptPD1FBWHj9Pf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6888ceadc958-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D9I61B9PowJIbfdVweI7bj1kdnjiAb7SlmSfZXRhkCS7eKEpzjG2QsL8%2F6lonq9BSFdQ01iVcHWGvffHOpaCHsrKrlUFLFnqHUpsgw76jwtqu8H%2BlJiOurpMeul1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc689f3f0f9c34-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=usfm14%2BoyV%2F8W9Q0KE%2BWG320A2bd797DCxTWO0rUywsHhFYGPv18RSxseAYzZ%2BA7txvBxy1ECGwOa1ZY4OsBj7Nr8JBE9%2BcmHzE%2BpzcPm%2FtvO4U0E4Tjk2H%2Ffrpi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc68b08aa6f274-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bZs2l1OFVSOLed9eKKimjVQfOczNizaEAYAHgaZEKFpJadzCBLozVRsOGPUJxRgS%2BDMwW8GwKpCnEZd9Ce2fUPMNpkZ2Qa6AT2f8%2FbN%2BYuhDcAC%2Frj9koU%2BxgiOT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc68c129188287-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xy70QIdqr0D5IpEOTBPxdWZ2nsmlVjl9%2BG6swtrzzXLJzdBvqRDViEmnpYmLrAr1pNlHPSeox%2FwsfgOtKaUrHv1PahcjZYkjBEtol7fifIJCh7ZFzASdQo217bzU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc68d26892879b-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91cc68e20e590823-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LhqTNyIePv4DQVQCTfA7OeffBoMgKiKufyHIITTfXUz%2BzHDeStx7ABsMebyXMffpJCFZ0FcMnNLQR5aYm%2F3VpuQdG%2FLmyhntSp5%2BkwP23KdH0D1ORRLcyTL9lgam"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc68f13866d8b4-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXM0MXvLEC2vbqGOldR0RxRthUT%2FpyhHu2aAwPwWcf%2Bkiwps2deLZgATcFsBv9ifiR3LmJp%2BnsT6T5pE3i3cRoszVznxWqOSKD8Qk1DjMeKKmZqg5CZntPvlE92x"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc69012efcdda4-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qvrVaw52%2B9N8W6%2F3eZysawFNaj5ApIjpsOt3hK9NzQbl9YHWQph7%2Feq%2BiUQHOktEq6tg%2FeISEE%2BkSDIaZUcB0kuoebHrr6p0AC4HCrodhpgh%2F6fiLAgOXDe7HTGq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc69129a01079c-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FlNhevnx18AAKeaQXTtSRI5sUbDcyvYVBNU7NONOzGYhHDD5Fqjc5K5vt1acIx6VpkPccGfSujCYzgmmgNc0627mVAO5kKHe5Yg4boQlXHGvpZmwB79ueaKDboY7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc69263984c98c-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UknQSa5ToPuOwzHQeZwLSSnmHFNIRTgsuazTCibRcaUaZSPhUKj77yoEHRGgeBKC9hNnReR6fOb3mHGQa8xxBf3ySBFARwG9WuOly1LFRGy1aJtV7T%2BzailX%2BvS4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6936fece0854-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v48dcEdi45CuH1E9O3g235PZz0SdnzbH%2BWNoGqTN15BbrFntp9ZWZshroB6PfiDPCNIvBjYxmyVcrM8ipf9LFK2Ner0R9m2c8MhxJ9xbx23aSlvbLgdUOMhsR0JV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6946abf46fe3-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91cc69573c468024-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91cc696788b2f278-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4gVqzF%2BCeptsVCLhQNxAZbahgh%2BS%2BdVup4f9EFcfvph6hOoJBRnnAs2TcuE1e21NGFSpA4dFzF7lmtHTjpfoX8psbdv6HiFEoNV1zksvFPunND%2BygkzGJkhkc41J"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6978fe28c938-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G8KKcEYFXl8Q0hCcRNYgQMmBA568oIsExGdtuRkv1PjYigXyvx8eaHq0OXyfPOUHTw8Qt%2BxoGcCR%2Fqyw6VkvvDEeIH8DeWgj8XXQ%2FU%2Bk%2FIdp%2FrFikW1d2qHCV9hM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc6989eb843af0-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eQ7jlYOTXVek1UD25H1nFqY573YBc5%2Bl%2BpdN6EEPz0GeNq3Xs0Q7u%2F0fJElyabSKvwwzwT%2FhACvS5VzUOvcdTBv%2By4nXP8j6lW5D1PhUQfklM4vAYm559JlPhLpb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc699a4ed038fb-IAD
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:13:54 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=25f%2FaJAH%2Brs4QMcYxF2Wzimfc7u%2FP3BRxWCtkkutLs4BnbbRTuRXDqpJkuAyTLq4idF2JATyqrN3zI%2FiUR9YPFN9qvCerDdutON1kF%2BQ%2Bw8SMhrppXNBpPQ%2Fw1Fs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc69a99d305997-IAD

Source: employee record_pdf.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: employee record_pdf.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/
Source: employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/5
Source: employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.binl
Source: employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bin
Source: employee record_pdf.bat.exe, 00000008.00000003.1455910700.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bin%
Source: employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bin32
Source: employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1588283703.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bin7
Source: employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binI
Source: employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1588283703.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binU
Source: employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binf
Source: employee record_pdf.bat.exe, 00000008.00000003.1455910700.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1588283703.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1431184817.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binl
Source: employee record_pdf.bat.exe, 00000008.00000003.1455910700.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1431184817.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binm
Source: employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binn
Source: employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binn%
Source: employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binnB
Source: employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binnU
Source: employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binnp
Source: employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bino
Source: employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binp
Source: employee record_pdf.bat.exe, 00000008.00000003.1405927939.0000000004925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binstC
Source: employee record_pdf.bat.exe, 00000008.00000003.1612859381.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727505861.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1885611102.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830360263.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1405739584.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1586885709.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1431184817.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2131418313.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942143935.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856070361.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1379114097.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915180150.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1699934101.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612859381.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663229991.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1885611102.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506783561.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830360263.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1586885709.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2131418313.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942143935.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856070361.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1379114097.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915180150.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49688 version: TLS 1.2

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_00404FA1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

0_2_00404FA1

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: employee record_pdf.bat.exe

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_004030B6
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		8_2_004030B6

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_00406152	0_2_00406152
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_004047E0	0_2_004047E0
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_00406152	8_2_00406152
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_004047E0	8_2_004047E0

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: String function: 004029FD appears 47 times

Source: employee record_pdf.bat.exe, 00000000.00000002.1287946307.0000000000447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesemicollegiate.exeH vs employee record_pdf.bat.exe
Source: employee record_pdf.bat.exe, 00000008.00000002.2122031753.0000000000447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesemicollegiate.exeH vs employee record_pdf.bat.exe
Source: employee record_pdf.bat.exe	Binary or memory string: OriginalFilenamesemicollegiate.exeH vs employee record_pdf.bat.exe

Source: employee record_pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/17@1/1

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_004042B1 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,

0_2_004042B1

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_00402036 LdrInitializeThunk,LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

0_2_00402036

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

File created: C:\Users\user\AppData\Local\Songy

Jump to behavior

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsm5CF0.tmp

Jump to behavior

Source: employee record_pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: employee record_pdf.bat.exe	Virustotal: Detection: 62%
Source: employee record_pdf.bat.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

File read: C:\Users\user\Desktop\employee record_pdf.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Process created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Process created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

File written: C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\braeface.ini

Jump to behavior

Source: employee record_pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1349286382.00000000097C8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2122120011.0000000003F98000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_00405EA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA3

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_10002D30 push eax; ret

0_2_10002D5E

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsj6472.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	API/Special instruction interceptor: Address: 9A35E09
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	API/Special instruction interceptor: Address: 4205E09

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	RDTSC instruction interceptor: First address: 99FBD66 second address: 99FBD66 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700773798h 0x00000006 test al, dl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	RDTSC instruction interceptor: First address: 41CBD66 second address: 41CBD66 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700F2B6B8h 0x00000006 test al, dl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj6472.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe TID: 5464

Thread sleep time: -280000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_00405E7C FindFirstFileA,FindClose,	0_2_00405E7C
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	0_2_00405438
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_00402645 FindFirstFileA,	8_2_00402645
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_00405E7C FindFirstFileA,FindClose,	8_2_00405E7C
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	Code function: 8_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,	8_2_00405438

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior

Source: employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.000000000490D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: employee record_pdf.bat.exe, 00000008.00000002.2129156322.000000000490D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt_-:

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	API call chain: ExitProcess graph end node			graph_0-4677
Source: C:\Users\user\Desktop\employee record_pdf.bat.exe	API call chain: ExitProcess graph end node			graph_0-4683

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_00402E62 LdrInitializeThunk,GetTickCount,GetTickCount,LdrInitializeThunk,MulDiv,wsprintfA,WriteFile,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,WriteFile,

0_2_00402E62

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_00405EA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA3

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Process created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"

Jump to behavior

Source: C:\Users\user\Desktop\employee record_pdf.bat.exe

Code function: 0_2_00405B9A GetVersion,LdrInitializeThunk,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B9A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
employee record_pdf.bat.exe	62%	Virustotal		Browse
employee record_pdf.bat.exe	53%	ReversingLabs	Win32.Trojan.InjectorX
employee record_pdf.bat.exe	100%	Avira	TR/Injector.zorbh

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsj6472.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://chneiu.icu/qZzaQfFD/epGfV132.binI	100%	Avira URL Cloud	malware
https://chneiu.icu/	100%	Avira URL Cloud	malware
https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.binl	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.bin%	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binl	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binf	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binstC	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binnp	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binm	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binnU	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.bin32	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.bin7	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binU	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binp	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.bin	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binnB	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binn%	100%	Avira URL Cloud	malware
https://chneiu.icu/5	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.bino	100%	Avira URL Cloud	malware
https://chneiu.icu/qZzaQfFD/epGfV132.binn	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chneiu.icu	188.114.96.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chneiu.icu/qZzaQfFD/epGfV132.bin	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612859381.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663229991.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1885611102.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506783561.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830360263.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1586885709.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2131418313.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942143935.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856070361.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1379114097.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915180150.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004917000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chneiu.icu/qZzaQfFD/epGfV132.binI	employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binf	employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binl	employee record_pdf.bat.exe, 00000008.00000003.1455910700.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1588283703.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1431184817.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_Error	employee record_pdf.bat.exe	false		high
https://chneiu.icu/qZzaQfFD/epGfV132.binm	employee record_pdf.bat.exe, 00000008.00000003.1455910700.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1431184817.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.binl	employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/	employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binnp	employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.bin%	employee record_pdf.bat.exe, 00000008.00000003.1455910700.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binnU	employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binstC	employee record_pdf.bat.exe, 00000008.00000003.1405927939.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.bin7	employee record_pdf.bat.exe, 00000008.00000003.1533031050.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1588283703.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1506857656.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_ErrorError	employee record_pdf.bat.exe	false		high
https://chneiu.icu/qZzaQfFD/epGfV132.bin32	employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binp	employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binnB	employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2129156322.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830468996.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942216243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856195979.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binn	employee record_pdf.bat.exe, 00000008.00000003.1482445438.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1889105042.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.bino	employee record_pdf.bat.exe, 00000008.00000002.2129156322.00000000048B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binU	employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100769243.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1663306682.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1588283703.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915953617.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1700009434.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727577428.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chneiu.icu/qZzaQfFD/epGfV132.binn%	employee record_pdf.bat.exe, 00000008.00000003.2074615552.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2047407610.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	employee record_pdf.bat.exe, 00000008.00000003.1612859381.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1753331526.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1727505861.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1885611102.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2019561612.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1557417825.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1830360263.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1405739584.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1993412153.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1586885709.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1431184817.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2131418313.00000000065D0000.00000004.00000800.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1942143935.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1856070361.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1379114097.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1915180150.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1968263596.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1699934101.0000000004917000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004917000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chneiu.icu/5	employee record_pdf.bat.exe, 00000008.00000003.1780801253.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1612925570.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1639441114.0000000004925000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1805970986.0000000004925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	chneiu.icu	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632165
Start date and time:	2025-03-07 20:10:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	employee record_pdf.bat.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@3/17@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 93% Number of executed functions: 59 Number of non-executed functions: 72
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Execution Graph export aborted for target employee record_pdf.bat.exe, PID 344 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:12:38	API Interceptor	28x Sleep call for process: employee record_pdf.bat.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	CjbMEPJZ3J.exe	Get hash	malicious	FormBook	Browse	www.marposet.shop/kexu/?bnb=vB2aylf3Q2XahtdhLosDE8imHxT8gnaOyIU1/x/DWtHmRdE433nBd+fkpXIkCpVdFXbAQIB1mNsJnhcAO1C9KkO96rRwixvsUK4o5J4zTNrClVAPCw==&8v4Hv=cpKH3h
	Ccp3sJPDXs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	asdff123fsdafasdf.ru/packetLowGeoProtectCentral.php
	justificante de transferencia09454545.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.kdjsswzx.club/myab/?MP=NdxOYJDJG4lm+JEaKG3C3Lbnwt5J/jX7V01w+cJuJBraytzWaHOc0QEGm1yXIwrAoNttsMOQwUptf8Glw1EAh4LN1ggO1axYIhZB7gb+MpY69764OA==&vv=hBodit
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/2p9f/
	RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	https://regcompany.marrkone.com/ssddcw/e095cdfe/?aef2d=cmFsaUBiYW5lc2NvdXNhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	login.marrkone.com/4c8979e070?nxx=dccfc2c7eecccfc0cbddcdc1dbddcf80cdc1c3accdcf
	FRQ 101102-04-25-0948-015.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/
	http://uploads-ssl.webflow.com/660018002a32edee7a11d41b/66335b965a5a96f03bd82400_kasuwidavogog.pdf	Get hash	malicious	Unknown	Browse	melurilexuki.urseghy.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=91706aaa4ac64204
	http://netflix-official.com/e/authID=ek3Lf	Get hash	malicious	Unknown	Browse	netflix-official.com/e/img/nficon2016.ico
	PAYMENT SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/2p9f/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwl	Get hash	malicious	Unknown	Browse	104.18.11.200
	random.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	am_no.bat	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, Stealc	Browse	104.21.32.1
	CgmaT61.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	yM5WEfAX4h.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	104.21.32.1
	FvbuInU.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	104.26.0.139
	New Order.xls	Get hash	malicious	Unknown	Browse	172.67.68.60
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	104.26.0.139

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	[System Process]12.exe	Get hash	malicious	GhostRat, Mimikatz, Nitol	Browse	188.114.96.3
	LtCPevm69G.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, Vidar	Browse	188.114.96.3
	awb_post_dhl_delivery_documents_06_03_2025_00000000000250506.bat	Get hash	malicious	GuLoader, Remcos	Browse	188.114.96.3
	awb_post_dhl_delivery_documents_07_03_2025_000000000000000.bat	Get hash	malicious	GuLoader, Remcos	Browse	188.114.96.3
	mQRr8Rkorf.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	V1CCX70AZ8P70ADNI.exe	Get hash	malicious	Clipboard Hijacker	Browse	188.114.96.3
	oAuym78xev.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	mF8WNclxnv.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.114.96.3
	15Er6ACahF.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsj6472.tmp\System.dll	staff record or employee record_pdf.exe	Get hash	malicious	Remcos, GuLoader	Browse
	GK#3819794-Septermber-2023 - GANET-3819383-01347-92716-02655-927364-297391-393.exe	Get hash	malicious	GuLoader	Browse
	word.exe	Get hash	malicious	GuLoader	Browse
	word.exe	Get hash	malicious	GuLoader	Browse
	remittances.exe	Get hash	malicious	Remcos, GuLoader	Browse
	js8call-2.2.0-win32.exe	Get hash	malicious	Unknown	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader	Browse
	Revised PI_2024.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Songy\filmdebut\Drvtyggeres.jpg

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 192x684, components 3
Category:	dropped
Size (bytes):	20652
Entropy (8bit):	7.927981450879119
Encrypted:	false
SSDEEP:	384:4equB73daBbTY+vSChweS3jG1fPcLXOhtSsL1X8MyoEjuYf/ULL+cEeoa:4eTB7tCTjSChwVTGhPcIqM+xf/Un+cth
MD5:	B8D36EF3F60F3855270DB0A9E64A0F54
SHA1:	D1EFFC8687195AC260B6E678EF34E1C8056070FE
SHA-256:	1CE13753E859755761C981E092F19608D4BABED5C22237B08BF6F6BDDE98E5B4
SHA-512:	32DE5F600C8DB389EE8B191D3F5CAF160008B1F1E429AC6344CFFA435351E5F87FB78B2FA09D7D239F7D8C0C4284E8F92E0348387EF3D9BC0EC30AB78C3D9D98
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...-....#F_............n6..p?:.r..Lc.../t..K.....u...../7]...L.?6.[........_.=.H.?....'........nhh('.g...{......3........\..od`....Fd....&...c....8.}.8..[..\.[..&O.._.}.+g.....P..i.;.O...a~....i.o.h..\|.....5.h.t.O.d.V.N..bi.....~.w.X....M.....................vE...'.h..i..x......S.X...../.+Hz....f.qu.K...!S.....niQ...C.Ig....;.-.k!...x.q.k..~X.^W...9

C:\Users\user\AppData\Local\Songy\filmdebut\Durup.for

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	28346
Entropy (8bit):	4.566308362286192
Encrypted:	false
SSDEEP:	384:8NhxwJYW+Z1Q2Mi+/zoLGmBVGv5SCtUfgJAJzjBKV4ngEyo4AXns:8NbsZ+Z+W/LGmmRJ6BKBEzXs
MD5:	30AA1DB14D2881C77B4DB8D974CBC764
SHA1:	5FA384A99B551E2880F34F598D4DE7678FA45ABC
SHA-256:	4F00274C1C4A8C4AC32C59CDAD75BF70A5955A6EACB01674303EFA53A7C69CF8
SHA-512:	E7D7085F29DDD619DEFB26718689CA664BE0CBB8CE1EB83DD7C4CF4DE232252CCCAABF576972C995602971A30DC45605D04747E1356AC00C48731CE7DD065E0E
Malicious:	false
Reputation:	low
Preview:	......u..................ZZ..........CCC..........X......................g....P.=..............FF..XXX..g..........................r..............{{{{{{..........YY.D............\|\|\|\|....nn.............((((........................6.]........"""......^.......0.....kkk..OO.....]]]]........................+.......o...kk..............O.C.$$...........ddd........JJ.....]]]].............................-.........B......HH............mmm..........................................S.......!.....}}}........xx...[.......................[[[[[[.........;;;......................GG......::....h.1...............................#......`..................,,,.9.vvv.._..&........9...............[[..##..]]].....iiii......1.%%..................\.44.....===..///......A.W.666..v..........a.............Y.....b................I.....b.............\|.........33.LLL.....>..M...A.ZZZZZZZ............a........C.S........DDDDDD...........................................4.22.........=......................a.l.............

C:\Users\user\AppData\Local\Songy\filmdebut\Preciouses.ini

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	309
Entropy (8bit):	4.3536940452088535
Encrypted:	false
SSDEEP:	6:EAbLqaJAHp/WKTSFQ+kPauWOJE4IQyXuNxdGnX9XY5seKIiUAroHv:EAyaJ8p/fbPaOJ/IBuLdGtXUsemUcoP
MD5:	3DB2D14EF4FE27AA8D593B2076C69C6D
SHA1:	8EC6AD4D24B76876A0F20F43F4C1AEF988312A6D
SHA-256:	F273AFEEDD37452F3F61E7C257452602D4698D39B1F9E3D3842413D94C1111B3
SHA-512:	9CCA90AEC2282244C4E1A0E84C1311CB78A34134EC431619045CA8C094BCF1B8077E52EE01344ED5308460FF6018D890E2632BCA5959AAE1DF131ED938629112
Malicious:	false
Reputation:	low
Preview:	Buckboards ingenerably forlbets indiciebeviser,elektronrrene presseaktivitets liv ungkokkenes..;superpurity overklasser archichlamydeous dispenserende persisted paraphrenia.Disincarnation heptastrophic hostlers mahori firmers....;wikeno midparentage woopsing,intentive unshavenness unominousness lurchline....

C:\Users\user\AppData\Local\Songy\filmdebut\Stereogengivelse.Par44

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	256987
Entropy (8bit):	7.800929743552125
Encrypted:	false
SSDEEP:	6144:mtBMsshkxQkZYTtx6aHxUY19LEzpSxPT3:mtBM3kZYTtx6aHNE6b3
MD5:	D3D9D40EB5BEFF65ACEE651ADEEA73D8
SHA1:	308D6E18DE322CEB46DAE3B18C79A584F9FC7D68
SHA-256:	004FBE7D750AD933E096DEC4F048922CBC55A778C9361EA0C0E5418A2D0FAE0B
SHA-512:	8EC9775258DC1D8BA43335EA964B6090D5EBE449A3E2D6C1CC7F766F583BA792B8B0957F409D8387AFA4C6F46EF97CE7B295864D1E403BAB956C4A5CE92513CD
Malicious:	false
Reputation:	low
Preview:	.............................................................l.............''.!....)........__..........}}.JJJ..\|.. .RR...........??........................0............ZZZ.................................`.......r.........L...."""..............tt...+.l..............'''../.[....ff......d............[.............u....................................(.B..mm...OO.........~.Z......g........GGG.......QQQ........t..00............n.o........4...+...................kkkk.....R..........................QQQQ.......FF....J......y........*...................b...<<./.YYY.....................``.................^........................`..................!.........11111....000..............$.....................q..................o.d...........55555.)).............S......8................!..........................."".9999....o...UU.----.....c....................K.R.GG..............qq..~~.III.....x...........~~~~~~.....\.&&......................j..p.......q................oooo....jjj..........eee.

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\braeface.ini

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	318
Entropy (8bit):	4.917657297107023
Encrypted:	false
SSDEEP:	6:CoFzPBKRNOqm9FBxpbyAfjgrcmJVPF1K+pLKg6rJJJjvpA9JyOFgXgut7fpw4QCF:NCN9m3PpvfjucOF1S5JJppA9Jyqgwmzf
MD5:	5759AEAF150D20E26EACBB6E2EEBE26C
SHA1:	69503614AA01E8F2F18FD460B0AA200629F451A2
SHA-256:	5E87DD5FBA1182CFD2480943E60F9C335FF8385AAD7F9C3D066CB955CB333DE3
SHA-512:	0017C49C316742859F766BFD5D6108392BAE179DF8273C187CC8BB38F334E29D593D4A95565748EC4759792C97FDECA7C1F28DAA31553517FBC0CF3497E2A01C
Malicious:	false
Reputation:	low
Preview:	Antigrammaticalness importing champagneprop soubretten boxwoods,rigsmaalenes intervocal atlee..[SOMFOR PHALAENOPSID]..[SLUTRESULTATERNE NULLITIES]..[LAVE UDSYNET]..;gomarian programlinjernes kteres paragraf glitz alboranite porteranthus,udbetaling boblepakning taurt omnipotent mundanism artilleriangrebene plotinian..

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\dichogamous.jpg

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 257x678, components 3
Category:	dropped
Size (bytes):	28044
Entropy (8bit):	7.970925916004788
Encrypted:	false
SSDEEP:	768:wWGMI/djgMgyzvZEfVgmfgUVbQgKcLxIxzgew:wXdjgAiJ3WgKQ2zgN
MD5:	E2F8AA30877BB3B712BF58A8628FE713
SHA1:	D2D358CB89155AFAE797935D1B635655D7A1D45D
SHA-256:	DE38CDA69D47D67ABA011CB797BDF5B7993C109C46378F8C69E7232CDD4C1C57
SHA-512:	97DC229DB82D9ADF5D8B720AEBA2BE3302CFBEE8C8BEFA00EB755BEC0CCA52352BFE41F31EB6B90CE188F028BADE8D418F29791663E934EA820CC03EBC4F59BE
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..xaH[.q.g.9...ZF.. ..^\.i...k:h..VpC....Y".1W.....L..v..d.[..\~.3....P.B.95%..2..j>..=ia`...@...g...H...v.@.'.M..68V..=0#.&N.C%....6......,...q...LU.+O.[^;..E.q.z..z{.6......w..(.b.6*.X...4y.....0G9...=.....r)LL......!......n..=.X.r2...e..sU..6.$[U..........;k.2.Z?L.....Q...8....&..n...B?.-.q.._...<.m ...t.s.....N.OB.."/.f.i@a..0...O&..."]....:..Z....&.T.>.;.

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\donack.ini

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	383
Entropy (8bit):	4.764103101902516
Encrypted:	false
SSDEEP:	6:W2XSBZTxZ9PdIddqYSUf9c1s4tsgxJPavFPiDKLyyYfUm+LgCKByvN:WFBZlZ9FId8YSCqtdx8vFKkYV+8PUN
MD5:	7FAA3A25C2889AB3E91FF42E51CE05DD
SHA1:	77E11FACF1CE9E8A166CA25945C4E338A09CFB3D
SHA-256:	98267473605377C486AD30E62B1D1692EB181AA73AAF6E295F70DB0AF3856B25
SHA-512:	75E625276A4BA9678BEC535AF86FBCA9D563F6F24982430523CC2BD0996F331F6C35D15CA83FDE9804ED42C8C271D867B9A198B38E022F527026BEB093C7A7BC
Malicious:	false
Preview:	Nosebag afsvidendes nationalkonomiens,federalismen jonosfrens generationskonference predecide majoriseringer lydtekniker websterian..[TRAGTNINGER BOOSTS]..[ombygningskontoers taaleligeres]..[HUMANENESS GLOSSOEPIGLOTTIDEAN]..[dissimiler intertrace]..Ultramelancholy paabegyndelsers hallmark dayworker helbredelige bonderose protestantismen inctirate analysemetodernes femling chigoe..

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\furerne.txt

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	4.345214879813008
Encrypted:	false
SSDEEP:	12:aZ2TefwuTP03V+H9M8+FWOh8+prwZdRP5GxePqkYHrKWyU:aZ2TeftYoHu86WOh3pryP5Gxo+0U
MD5:	1488981F521216090D73655E121B6A9A
SHA1:	320FF8A4541A192DC47678C51EC4951EA5401835
SHA-256:	5916B3BFAD6164390A32845AE25FD7FB6567A368DD7B3FAD95A14F01C60083BE
SHA-512:	AAE00BBFDB5A6A01C7958D91B1550B08B4D628E6B940C5BDAC4551B64E65CEB8297C8FBDE909600623FB43A68D344511B3EFF1D67783143D0C298888961D05C9
Malicious:	false
Preview:	supernaturally styrere stroppetures programstrrelsens bandworm shoppingen.Route valgkongedmmernes profilist pretermitter......;snubbers roningens unliteralized subtrahere pinned,steeplelike acetophenone salgsvrdiernes..;afhaarendes altheine skovbundenes,applauderet haveable alternationerne tppeflises screamy klosterlatin jagtudflugts........;aktiemarkederne trtheden noonwards verificerbarheds administrationsbygningers hngekjeeffekter demyelination.Coenotypic septimerne pseudoidentical spatieringens lifligheds moenster..

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\inaudible.txt

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	384
Entropy (8bit):	4.278193616480818
Encrypted:	false
SSDEEP:	6:qL4oRcYRowR6sXsxWnULB7QF/8ALACLMlfJuIcu9uAxWRQf6iuXG0p8SH4yfJcIQ:qL4kRYntMF/8uAvxou9pWQf7YG0OO3Fc
MD5:	07E86193AE6D7BAAF65E02BE22868DFA
SHA1:	A872184D2D9D7724359F2B3538C9093397CCB86D
SHA-256:	6AEC52A0C35BFC993602D85781104C4762077CF2CEF73B68C0FC3A99D48B5177
SHA-512:	9F7156B1EFBEC5C88948B2929891D59AFBDAD5A68F3BF16F61A36505BCF5C64E8F5B2EA073ECE8ADCE08D2D262C5F62B2A8BFAE324FCB310C6F45D4E97ADD6CC
Malicious:	false
Preview:	Prideweed definitive turistpropagandaens nonterminability sgeomraadets shir,memoranda udstyrelser menneskevennen aftvtningers contraster....Herquein careeringly aabenmundets,improvisatory strubelaagets walldorfs poriness indtrdelsers nonstanzaic nicklavss......;t isocline heroiseringernes stjblandede supereloquence disserving,teheran preinferredpreinferring ventoy parred pinnidae..

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\lophiodontoid.dkn

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	5202851
Entropy (8bit):	0.15848512310202445
Encrypted:	false
SSDEEP:	1536:vMCI+ocf3nUAPudvzyP9T9cTVwC9Kv25nd07ckTMMcUZDTmtP8u8fFSLc6hs+RKP:MU
MD5:	0FCD5079756A29E719224B50900CF8AB
SHA1:	EE16C1BB2AE96093F0227C9C35496544A84B060C
SHA-256:	A167FA50D02C2FC0BDBE2A84211FE2C923929DFD99EE8AA38B5E1B80112EBF09
SHA-512:	7161E41BC00A1E24340B0FC8A0D6B6D42AC6E468BDAF301A12D3D6C6FD74E7D55B980AD30602F7181166721898520BDBF90E60BA4DF33B1B874BD44478C99EC1
Malicious:	false
Preview:	.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................G.............................................................................................................................................................:.........................................................b.................................................f........................

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\phosphorises.ini

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	4.681595588597489
Encrypted:	false
SSDEEP:	12:RwobAUOlvNdp+qiuaZTncUWgfHg1GgKnX/4rHy:WPQqidcIfiGlSS
MD5:	D1EC12A919B7EABC8D8A8DC3B1E7D7E7
SHA1:	A3CC488F7A0A5CC7589BA58B3A43BBCE667B2801
SHA-256:	3D1274ED8C25773C60C8DECB5A94D73192F2D743A1970FBD8AAF62DD45F626A1
SHA-512:	EDB11D33B7ED9945497E4E2E6DEF975D550A19658D56642E9308FA924413D8A720CE85EE6BDB51510378264A8EF9B07DA8388B36DDD31B2F76240D9367B1EE26
Malicious:	false
Preview:	[CHONDROSEPTUM KLANDREDE]......Trisulcate teaterskolen forbnnerne undefiledness postumbilical arbejdsstrenges gerti,dekadences udskivet physicalism perceptual nonconvertible miches lusher..kiddies strengeleges richards lsningsmodel trochalopodous koncis faldskrmens detant brusetabletter cosmonautically elabrate.Outwoe chromaticism flesher..;opdrtning ponderosae tartrazinen.Saratogan gasen udsknkende........

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\quadranguled.ini

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	4.375779786780421
Encrypted:	false
SSDEEP:	12:FfKLTh5lGUyBdFmTTSxkA+75iOwZsrW1I4+UhEI0f+:FY3lGp8TSf+NiOwj1zv6+
MD5:	F85014C6B526B98BE24FADC593730F25
SHA1:	21FF8D94856A6052AEE046D7401FA64E55D82919
SHA-256:	8E02E11ACFB7C89C6DA2BF1E3B2DBEB25B3276BC2B655870927F816236B76801
SHA-512:	2BEE2064F8C53E1E4D04B51E41F200B38A75EEB20879770E294710D2B7F4771073C7672F74F9761E86DD5A6CA7EF7BC1567A1E2481847718D595D1493342E879
Malicious:	false
Preview:	Catarinas cushaws udsvingene preharmoniousness sobriquet tribromide fillers gemserod arvelighedsforskningen unjammed tilrettelgges..taknemliges diskettens asperggilli.Tangsprls udlovninger enkeltfag cheerless..[cacocnemia ophthalmy]..Barkening intertrude pinole skindlaps reconfigurer amidothiazole..;kursivernes kainyn stansningerne boliggevinst selvbiografiskes antis,karbonade shillalas stemplets catamnestic tilsttendes vermeology liker..

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\rgerrige.jpg

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 710x737, components 3
Category:	dropped
Size (bytes):	70257
Entropy (8bit):	7.958551288552985
Encrypted:	false
SSDEEP:	1536:Z9JkIMVtvlkI9bQmQF4FN3HUpMxDPQSCSJ7by4L:nJEVlmyr3HUkQyJ7V
MD5:	EE7E9F20B2B8E69247669C55EABA1882
SHA1:	48BA05AF8C79E3B280436508B42F04043DBBCC26
SHA-256:	22142E0C7BE53763BA24183B1FDB42CC56832910860929F3D8CA0A86B1772C5F
SHA-512:	40C7B94EC277A0DD5A4F3BEC33E11C202C3477E00A99F469AC3240CA4D688237498A0C9D72B0C9DDCA5D157F92D206097AADCA91E5A909B7E2A613230596F8EA
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...9..h.)3.{.c.....E%-...R.f.....v...4.i.0..t....QE..m/jCE.%.PFi..R.i(...E0.CKI@..RP.Hii).R.KE.6.1E0......c........].m......M4.M...SM<.O..0....1...L4.L"...F).P.b..A...6..v).0.i..HE0..n)....1M#......p..5....c^.0..=......J..d..GQ...o.S.lg..i. ..~....;.I.......N.:p)z...PG..s.k&R.?/l..ZN2.iO_.!=..T...N..A.c....>...q..+.@..1.h..K..#...L.....)..M.....cA. q.PA .4...0.

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\russificering.txt

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	460
Entropy (8bit):	4.359124785292905
Encrypted:	false
SSDEEP:	12:1eQ+U2kOmKrkRvNPFoWtzvoaqrRmRSs2yuYMG:1P3GyyyoLKS7G
MD5:	9C56F1DF5C874B11F652C56F855462D3
SHA1:	A4D0EBDFDC2B12DC9FFD9A087C026EBE4B804C80
SHA-256:	50DB70C1224942DB8BC42209EA13DA6213A3A929454242EE770F67F7F254A2DE
SHA-512:	7A906DBBC8D38C083C12AE4831681B47643FEB1CDC006F6550F44B4D0FB8C78125F12C2FA0ADB963B11ED6B0430B2C09E5B43BF917C61B9675A4C564E96A97B9
Malicious:	false
Preview:	rapfingredes ganef pyloroscopy louty huet sagoene drengestregs.Forbldte thermovoltaic trotylen unexacerbating plaga......[forfatterrettighederne srrettighed]..saudiaraberen compeers amblypodous creeping sknaanderne assyriologernes.Diathermia adoptions pektinets rummes panopticon gering kelts..;komponentkursus kameluldsfrakkernes projektledelserne stempelfries uigennemskuelighed grundfladeradiusserne,bankbestyrerens varslet coumarinic ouphes senorita asps..

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\twinsdets.jpg

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 93x374, components 3
Category:	dropped
Size (bytes):	3387
Entropy (8bit):	7.785411605579761
Encrypted:	false
SSDEEP:	96:RhCEL4T9AV91zP8g0iCGY1eot/TEUrKq+g:LCoV91zPPrtYwohEUuq+g
MD5:	E8D1936C38ACD6B2BAA9148CA75BADB2
SHA1:	F2D7AFC15A20EAF5BFC77222BB93E6ECF332317B
SHA-256:	ED2C832A6694173C0AA2E3F557C858690992CDE994464012D8104E987E166FF4
SHA-512:	AA2D8D4DBDFB0BDBA111F3C91B54ED32FEA2AEAD2AED86ADEBFEFC6614BDCE0F7E66044E8D84C751CAE28C383E4A3D9D85E97D4FC5BFAA06E4DB23CA429AA522
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......v.].."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..cI.u%.7......i..RP.1M=i..@.M.SM.!..4..~......R.J.m%8.M.!....M=h...N4.@.i..M...CKA...Ju!...Jq....a.O...CM4.M4..IJi(.D.R.P.R.Z..6.N.4..a..i...i..i...JSI@.4..I@.IKI@.4..i.....>.h...i.h........*CKE.6.ZJ.i...m.6.i.z...4.4.!...z.h.N....%4....M4.Hh...z..0..M0..0..M6.i...IKE..A.....i..i.CM0..4...4.4...%8.h.N.Z(...N.4..M4.L4.i.M4.M4..L4.M4..M.534..E-..CM4.i...a..i.CM4.6..5GU..

C:\Users\user\AppData\Local\Songy\filmdebut\Vrdiens135.txt

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	379
Entropy (8bit):	4.726196340239336
Encrypted:	false
SSDEEP:	6:p0wKXuhXJYL4tXoHqLwWi2+UAMKrUYvJKAXBuYtPY4MYCMqUsy009ry:p0PuhXJjtX0qLwAkYYvQAXB3wBdRt0Jy
MD5:	D4F0406875F0C32BB8451C34F4672DCB
SHA1:	DB0670D869062DCD27FE7D834F11385FBB03B1CC
SHA-256:	B50417AE194AAD9D67CFF0565DC1CCFD7CE0399CA9476E5E233C41E768198398
SHA-512:	2954F17D8E155FE6D7D44DF2F679777FE3ED67F120D14C2B86D9E67D24740D8019BD8621D93208F99A185A1B93B5A41170B6B02FBCAFA874FDD44774071B2F55
Malicious:	false
Preview:	Jambarts noncredulousness gamlingen fricandeau nedfald biltyveri forfalskende..[MULTIDENTICULATE OVERDAADIGSTES]..Nascence tyknede ophvet afgiftsforhjelser,otioseness personalekompensationerne hints....tikronesedlen teposens istandsatte isbaads fondsejerskaber.Extrasensible perspiration hrerens mafficked bousing digitus subcoastal superspecialized smsyningerne demonize........

C:\Users\user\AppData\Local\Temp\nsj6472.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\employee record_pdf.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11264
Entropy (8bit):	5.779567759802416
Encrypted:	false
SSDEEP:	96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u
MD5:	883EFF06AC96966270731E4E22817E11
SHA1:	523C87C98236CBC04430E87EC19B977595092AC8
SHA-256:	44E5DFD551B38E886214BD6B9C8EE913C4C4D1F085A6575D97C3E892B925DA82
SHA-512:	60333253342476911C84BBC1D9BF8A29F811207787FDD6107DCE8D2B6E031669303F28133FFC811971ED7792087FE90FB1FAABC0AF4E91C298BA51E28109A390
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: staff record or employee record_pdf.exe, Detection: malicious, Browse Filename: GK#3819794-Septermber-2023 - GANET-3819383-01347-92716-02655-927364-297391-393.exe, Detection: malicious, Browse Filename: word.exe, Detection: malicious, Browse Filename: word.exe, Detection: malicious, Browse Filename: remittances.exe, Detection: malicious, Browse Filename: js8call-2.2.0-win32.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse Filename: Revised PI_2024.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....n3T...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text..._........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..b....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.973885333160843
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	employee record_pdf.bat.exe
File size:	575'280 bytes
MD5:	d00a5d4d5c3e9d9b767608fcc6f7aded
SHA1:	3cb85f4f53c98a37636c3d0ece582d4f5abb9be0
SHA256:	f23bf9e69da8ae73fc237cd65ee954f30ac1f9f009915a50252d3085b47e71dd
SHA512:	6303407f477c59f4270c739bc75d31bc9fdfe727d0a8b671c4fe648ae2fc936570158b3e793c782fe7d5ddd267d17e9ea7e0d3f9b104ab1e26abbf1d486e2c10
SSDEEP:	12288:unlTj8yiNr7RxrUkyEtG6wtUVHAYYH1ZGiy8DXr:iTjz+FdBzGbtUHQkiymXr
TLSH:	3BC4235A46D0C49AF3530C7917AF7B3DC6B9EF001924F2433702BF566E70E969A2A781
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........0.......p....@

File Icon


Icon Hash:	c9272d16b238195a

Static PE Info

General

Entrypoint:	0x4030b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x54336EAA [Tue Oct 7 04:40:10 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e160ef8e55bb9d162da4e266afd9eef3

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [0040711Ch]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [00423798h], eax
call 00007F8700EC33DDh
mov dword ptr [004236E4h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041EC98h
call dword ptr [00407164h]
push 00409180h
push 00422EE0h
call 00007F8700EC3087h
call dword ptr [00407120h]
mov ebp, 00429000h
push eax
push ebp
call 00007F8700EC3075h
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [004236E0h], eax
mov eax, ebp
jne 00007F8700EC063Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F8700EC2B05h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007F8700EC06F5h
cmp cl, 00000020h
jne 00007F8700EC0638h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F8700EC062Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x1310	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a7c	0x5c00	71ecbec9470d0e846ce5d68f3bbdbddf	False	0.6614724864130435	data	6.422249494521571	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	640f709ec19b4ed0455a4c64e5934d5e	False	0.4520399305555556	OpenPGP Secret Key	5.23558258677739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7d8	0x400	bc7151fcf37fc84430446d29785eaf5d	False	0.611328125	data	4.963740024747551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x23000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x47000	0x1310	0x1400	c8e4eb3c28bede3ab9ca2a4432452b01	False	0.403515625	data	4.179664994510554	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x47208	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3813176895306859
RT_DIALOG	0x47ab0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x47bb0	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x47ca8	0xa0	data	English	United States	0.6125
RT_DIALOG	0x47d48	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x47da8	0x14	data	English	United States	1.1
RT_VERSION	0x47dc0	0x248	data	English	United States	0.5
RT_MANIFEST	0x48008	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Version Infos

Description	Data
Comments	mellemgangene moerket resituates
FileVersion	3.3.0.0
InternalName	semicollegiate.exe
OriginalFilename	semicollegiate.exe
ProductName	visitation baggages
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T20:12:39.812705+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49688	188.114.96.3	443	TCP
2025-03-07T20:12:42.456670+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49689	188.114.96.3	443	TCP
2025-03-07T20:12:44.994159+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49690	188.114.96.3	443	TCP
2025-03-07T20:12:47.484768+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49691	188.114.96.3	443	TCP
2025-03-07T20:12:50.154074+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49692	188.114.96.3	443	TCP
2025-03-07T20:12:52.585763+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49693	188.114.96.3	443	TCP
2025-03-07T20:12:55.202047+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49694	188.114.96.3	443	TCP
2025-03-07T20:12:57.640489+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49695	188.114.96.3	443	TCP
2025-03-07T20:13:00.570563+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49696	188.114.96.3	443	TCP
2025-03-07T20:13:03.195878+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49697	188.114.96.3	443	TCP
2025-03-07T20:13:05.851008+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49698	188.114.96.3	443	TCP
2025-03-07T20:13:08.230734+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49699	188.114.96.3	443	TCP
2025-03-07T20:13:11.903140+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49700	188.114.96.3	443	TCP
2025-03-07T20:13:14.660669+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49701	188.114.96.3	443	TCP
2025-03-07T20:13:17.243044+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49702	188.114.96.3	443	TCP
2025-03-07T20:13:19.989871+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49703	188.114.96.3	443	TCP
2025-03-07T20:13:22.506953+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49704	188.114.96.3	443	TCP
2025-03-07T20:13:24.942595+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49705	188.114.96.3	443	TCP
2025-03-07T20:13:27.500464+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49706	188.114.96.3	443	TCP
2025-03-07T20:13:30.268659+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49707	188.114.96.3	443	TCP
2025-03-07T20:13:33.417800+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49708	188.114.96.3	443	TCP
2025-03-07T20:13:36.083891+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49709	188.114.96.3	443	TCP
2025-03-07T20:13:38.736479+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49710	188.114.96.3	443	TCP
2025-03-07T20:13:41.214140+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49711	188.114.96.3	443	TCP
2025-03-07T20:13:43.865981+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49712	188.114.96.3	443	TCP
2025-03-07T20:13:46.648052+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49713	188.114.96.3	443	TCP
2025-03-07T20:13:49.369086+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49714	188.114.96.3	443	TCP
2025-03-07T20:13:51.984245+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49715	188.114.96.3	443	TCP
2025-03-07T20:13:54.385094+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49716	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 20:12:37.298598051 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:37.298644066 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:37.299704075 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:37.318608046 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:37.318624020 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.279994011 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.280189991 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.338588953 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.338610888 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.338978052 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.341017008 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.354578018 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.396330118 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.812700033 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.812834978 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.812859058 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.813122988 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.813142061 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.813710928 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.820939064 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.821068048 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:39.821140051 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.822263956 CET	49688	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:39.822289944 CET	443	49688	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:40.164376020 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:40.164414883 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:40.164477110 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:40.164875031 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:40.164885998 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:41.944324017 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:41.944447994 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:41.945020914 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:41.945034027 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:41.945219994 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:41.945229053 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.456680059 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.456829071 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.456846952 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.456917048 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.474247932 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.474359989 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.474376917 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.476459980 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.482119083 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.482209921 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.482232094 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.482259035 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.482304096 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.482304096 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.484674931 CET	49689	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.484709024 CET	443	49689	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.636794090 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.636835098 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:42.637053013 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.637388945 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:42.637401104 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:44.501055956 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:44.501328945 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:44.501677990 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:44.501688004 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:44.502254963 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:44.502260923 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:44.994139910 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:44.994194984 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:44.994205952 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:44.994250059 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.028759003 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:45.028831005 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.028839111 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:45.028883934 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.028904915 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:45.028949022 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.028954983 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:45.028980970 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:45.029016018 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.029031038 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.029179096 CET	49690	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.029191971 CET	443	49690	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:45.147358894 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.147418022 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:45.147507906 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.147790909 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:45.147803068 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:46.853405952 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:46.853471041 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:46.853987932 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:46.854003906 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:46.854170084 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:46.854175091 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.484730005 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.484807014 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.484828949 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.484878063 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.492919922 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.492993116 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.493118048 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.493175030 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.493207932 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.493258953 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.493308067 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.493354082 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.493366957 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.493391037 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.493426085 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.493454933 CET	443	49691	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.493484020 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.493503094 CET	49691	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.616092920 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.616138935 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:47.616333961 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.616599083 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:47.616611004 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:49.599539995 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:49.599852085 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:49.600378990 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:49.600390911 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:49.600595951 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:49.600601912 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.154175043 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.154264927 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.154282093 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.154375076 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.154385090 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.154403925 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.154544115 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.154834986 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.154999971 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.155006886 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.155080080 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.155086994 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.155147076 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.155241013 CET	49692	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.155256987 CET	443	49692	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.299921989 CET	49693	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.299959898 CET	443	49693	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:50.300112963 CET	49693	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.300409079 CET	49693	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:50.300420046 CET	443	49693	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:52.044449091 CET	443	49693	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:52.044524908 CET	49693	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:52.098635912 CET	49693	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:52.098655939 CET	443	49693	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:52.098834991 CET	49693	443	192.168.2.7	188.114.96.3
Mar 7, 2025 20:12:52.098848104 CET	443	49693	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:52.585798025 CET	443	49693	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:52.585853100 CET	443	49693	188.114.96.3	192.168.2.7
Mar 7, 2025 20:12:52.585897923 CET	443	49693	188.114.96.3

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report employee record_pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Songy\filmdebut\Drvtyggeres.jpg

C:\Users\user\AppData\Local\Songy\filmdebut\Durup.for

C:\Users\user\AppData\Local\Songy\filmdebut\Preciouses.ini

C:\Users\user\AppData\Local\Songy\filmdebut\Stereogengivelse.Par44

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\braeface.ini

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\dichogamous.jpg

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\donack.ini

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\furerne.txt

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\inaudible.txt

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\lophiodontoid.dkn

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\phosphorises.ini

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\quadranguled.ini

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\rgerrige.jpg

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\russificering.txt

C:\Users\user\AppData\Local\Songy\filmdebut\Subarticulateness\twinsdets.jpg

C:\Users\user\AppData\Local\Songy\filmdebut\Vrdiens135.txt

C:\Users\user\AppData\Local\Temp\nsj6472.tmp\System.dll

Static File Info

General

Windows Analysis Report
employee record_pdf.bat.exe